By Walt Boyes
Your boss just called you into the office and told you that because of staff cutbacks you are now responsible for asset management in the plant. What do you do next?
The plant is 50 years old and has had several upgrades. Each upgrade was done with different engineering staff, whether by asset owner engineering staff, or by consulting engineers. Sometimes the consulting engineers acted s project managers. Sometimes the contractor was the project manager. Several different contractors have worked on the plant in the past 50 years. As you look over the documentation for the plant, the so-called “as-builts,” you started to get that feeling in the pit of your stomach that you’ve associated all your working life with, “I’m screwed, aren’t I?” Effectively, there are no as-builts anymore.
So then you call a meeting of all the supervisors. About half show up, You explain that you need to do an inventory of all the OT assets on the plant site, installed or in stores. You ask them to please have their inventory lists back within 30 days. You send out a memo to all the supervisors, especially the ones that didn’t bother to show up to your meeting. As the 30 day mark gets closer and only a couple of supervisors have turned anything in, you start calling around to see if you can improve the return rate. Mostly, they all say they are too busy, and they don’t get paid for that. You try to put this data into a spreadsheet, but there are too many missing fields. And spreadsheets are manual applications—somebody, and probably a team of somebodies, would need to update it on a daily or weekly basis just to keep up.
Now you have a shiny flat spot in the middle of your forehead from beating your head on the desk.
You call the vendors and ask them for their records. Now you are getting somewhere. But they only have limited data on devices, and only on the ones they made. And unless the vendor has a service contract, they can’t give you any metadata like calibration, range, or other information like firmware. One of the vendors tries to sell you their canned asset management software. But it is proprietary and only works on some assets. It doesn’t include PCs or switches or other networked devices.
You don’t even have an accurate list of what OT (Operations Technology) assets you should have or should be looking for.
You go talk to the head of IT, and you tell him that you can’t put a canonical list of assets together. He says to try an ICS detection product…they are designed to identify assets.
So you try one that is supposed to be the best. It does a great job on active discovery of the networks and network devices on the plant. Even the OT networks. But it is not so good with Level 0 devices or PLCs or controllers, which of course you have a lot of. You still haven’t got a decent asset inventory.
Your boss is beginning to run out of patience, and he lets you know that, fingers drumming on his desk.
The Industrial Control System detection product is intended to focus on cyber threats and is used to monitor and control safety-critical systems just like an intrusion detection system. Aside from the ambiguity of the data, you find that all your Fieldbus, HART, ControlNet, DeviceNet, SERCOS, Profibus, DH+ and other field level networks are not discoverable by the ICS detection system. You have a lot of those devices.
Here’s the thing. None of these approaches does anything about adding metadata—or context—to the asset or device. Without that context, your inventory is practically useless.
You see, the technical data for your assets actually comes in two types: device data and network data. Each of the existing asset or ICS detection tools handles one but not the other.
Let’s start with device data, or identity. You need the hardware make and model, serial number, installed operating system or firmware version, all security patches that have been installed. In the case of control system racks, you need to have the same information on all I/O modules, AND the network address and MAC addresses. Now you have context.
But that’s not all of it. You also need to establish network identity. You need to be able to associate a location tag with a specific logical network, and any other metadata that will be useful in identifying the device, such as “this is the safety instrumented system network,” or “this is a local Fieldbus device and network.”
Next time, we’ll continue with how an OT asset management system should be constructed and what features it absolutely must have.
In the meantime, why don’t you check out OTBase by Langner?