If you ask OT leaders to define asset inventory, they’ll spit out the usual data points such as IP address, what OS is it running, and what manufacturer or vintage it is. Some operators may ask for hardware and/or software version or additional data points, but few list comprehensive details like ports, services, users, patches, known vulnerabilities, etc. of those OT assets.
Nearly no one will lead with wanting to know about asset criticality to operations, asset ownership, or asset location (facility, unit, floor, room, rack, etc.) because asset inventory is seen as a basic, simple, first step to a larger ICS cyber security program. But in reality, an inventory will be revisited across all stages of your cyber security journey. If you build it correctly, you’ll always have the data you need to support any security initiative.
If you only have access to cursory data, you’ll constantly be re-assessing and gathering additional data to fill the gaps as your tasks and processes mature. So, when looking at your OT cyber security roadmap, do you just want an asset inventory, or do you need fundamental insight into providing better security for your OT environment?
This reminds me of the children’s book, “If You Give a Mouse a Cookie” If you’re not familiar, it is a fanciful tale of a boy and his pet mouse. The boy gives his mouse a cookie, which leads to the mouse wanting a glass of milk. The mouse wants to make sure the milk didn't give him a mustache, so he asks to look in the mirror, which turns into a need for a trim. There is a series of things the mouse wants next until he is reminded again of milk, and then asks for another cookie. A cyber security program is very much like giving a mouse a cookie.
For example, if you start with a basic asset inventory to understand what you have, then your next step is you will need vulnerability data about that inventory. That vulnerability information makes you want to patch, which is not always possible in OT environments, so you’ll ask to see a report on compensating controls for those unpatched assets. But those compensating controls are always backstopped by the OT safety net – a full back up or restoration point. Now you realize the asset inventory view needs to include plans for restoration and recovery. And all the while, the world and the cyber risks within it continue to evolve. This means the introduction of new vulnerabilities.
When a new vulnerability is discovered, you turn to asset inventory to determine how many OT assets are in scope for this risk, how many can be safely patched, and how many vulnerabilities can be applied compensating controls? If there are too many non-patchable assets, you’ll soon be asked if upgrading the assets is possible. The answer is yes, but how do you decide which assets to upgrade?
Is an asset upgrade operationally supported (i.e. does the OEM have an upgrade path)? How big of a problem is it if there is no OEM upgrade? While these data points come from asset inventory, understanding how many assets are in scope (or are required) for an upgrade or patch deployment depends on many other contextual data points like system criticality, vintage, risk, etc.
So, when you begin your search for an asset inventory solution, it’s important to ask yourself if what you really need is a program level, multi-disciplined, future-proof security data or a list of IP addresses.
Thinking back to the mouse and his cookie, asset inventory is an immensely valuable data source (if developed correctly) that will come full circle in helping you setup the dozens of cyber security best practices, insights, decision making and planning tasks you are expected to make for a long-term, successful cyber security program.
Choose wisely when considering your asset inventory needs and take the end goal into consideration. Once your boss (the mouse) asks for asset inventory (the cookie), they're going to ask for the next thing. So think about the holistic cyber security program and plan for patching, configuration hardening, compensating, controls, etc. because buying a one off tool may not fit into your comprehensive program later on.
Download the on-demand webinar to develop an effective asset inventory as part of your robust cyber security roadmap.
Our special guest John Cusimano, VP Industrial Cybersecurity of aeSolutions shared the struggles organizations face with a limited asset view and discussed how powerful the combination of asset inventory with OT context is for your sustainable cyber security program. Check it out here: