A fundamental starting point for any ICS security program invariably starts with a discussion about inventory. As in, how many assets do we have, where are they located, what do they ‘look’ like, etc. But what so many people overlook is that, like most things in life, you get out what you put in. Or to state it a different way, if you do a cursory job of collection you will only have a cursory understanding of your assets.
So today I want to talk about the definition of an ‘inventory’. It is a big enough issue that many well intentioned ICS security practitioners are truly jumping on the bandwagon of using passive detection tools to ‘at least’ get them some form of inventory. The reasoning is that something is better than nothing (which is where many of those people are starting). Now using a monitoring tool to help detect new systems or to create the beginning of an inventory is not work or money you will throw away later so it is of use to a degree. But there are 2 very real challenges to using passive detection tools for inventory (outside of the basic argument that you need to use the right tool for the job, not buy an expensive monitoring tool for the pleasant side effects it offers). The two challenges are coverage (as in collecting all assets in scope) and level of detail.
If you have been living under a rock then you might not know that passive detection tools require a certain level of infrastructure to be in place for the deployment of the sensors. This can be challenging if you have either a well segmented network, (or a piece meal one) and/or if you have long haul (SCADA) locations that are bandwidth challenged. And since passive tools require assets to communicate through a monitoring point means you need to pay for and deploy sensors on every piece of communications equipment in your network to get to all assets. You also need to consider that serially connected (or non-networked segments) will never get into your ‘inventory’. So coverage can be costly and/or not fully comprehensive.
Level of Detail
This is where we define ‘inventory’. Is it enough to have a list of IP addresses and know the basics (ie, Cisco ASA vs Dell HMI)? Or do we require a richer set of data that assets simply don’t transmit (again, for passive tools, if the asset does not transmit specific data you wont ever get that data). I would suggest that asset details like all installed software and its version, history, etc would be of value. Missing patches, security risks (compared to the NVD), users, groups, shares, services, ports, etc are all key components of analyzing an asset and its relative risk to operations. But don’t take my word for it. This morning I saw an article that Kaspersky had released their ‘State of Industrial Cyber Security 2019’ report and what struck me was this ‘top 5’ list:
Top five non-technical problems observed within the industry:
- Governance of cybersecurity in OT is low
- Staff training and security awareness
- Business continuity plan
- Third party management
- Incident response planning
The most challenging thing about fixing these issues is you need specific asset context to be able to have meaningful discussions about any of these tasks. That is why we allow our clients to add context to an asset record. Is this asset critical to my operations or safety? Is it a legacy device? Who is the owner, where is it located, is it redundant? All of these help to manage realistic discussions about Governance, Business Continuity, IR, and others. Just imagine if you had an agent based solution that the next time Blue Keep came up you could simply read a report that shows what assets, by type, region, owner, criticality or even OS type (lab or field based, etc) to be able to properly assess and plan your remediation project?
So if you are an operating company that is looking to get better at security and an inventory is your intended starting point then that is awesome! That is a valuable and beneficial effort and the best place to start. But if you really want to get out ahead of the game you need to look at what your second, third and fourth steps are. What will this inventory lead to and am I doing it the right way?