A discussion about which NIST CSF function an industrial organization should start with for efficient risk reduction was recently published on LinkedIn by industrial control systems (ICS) security guru Dale Peterson. This is a great philosophical debate for organizations either starting their ICS cyber security program or deciding where to double down on their current efforts.
The five functions of the NIST Cybersecurity Framework are Identify, Protect, Detect, Respond, and Recover. Dale Peterson’s article proposed Protect as the first place to start for effective risk reduction. His argument was that if you can grab the low hanging fruit by deploying fundamental and required security controls like network segmentation and/or protection methods like AV or patching, you are instantly going to start to reduce risk. He states Recovery is the second most important task because you need a configuration baseline to work from, and Identify is his third priority.
Start with Inventory for efficient risk reduction
Garnering a number of responses, perspectives varied from factual and practical applications of security principles to the conformed market sentiment. While different perspective and opinions are appreciated for healthy debate and education, I’m challenging the status quo.
Let’s say you buy a new house. If you follow Dale’s opinion, you would turn around and buy a security system because you know you’ll want to protect your house. But what if the security system you purchased protects two doors and six windows, and you later realize there is a third door to enter the house, twice as many windows, and you didn’t think to consider motion detectors to protect the property’s peripheral?
What if you keep your highest-value assets and prized possessions in the attic? Would you consider adding extra security to access the attic or would you guard it the same way as your garage? Now you’re stuck with a security system that was preemptively purchased and does not meet your unique needs. The single most important function an organization should prioritize is Identify and here’s why:
Asset inventory powers every cyber security decision
Leading with network segmentation and protection is careless without first understanding your asset inventory. When network architects set out to design and execute any variation of an ICS security segmented network, they first determine which assets are communicating with each other, who needs access to each systems and data, and where should each asset logically reside. In order to segment networks effectively, asset inventory is required.
If you don’t know what you have and how it communicates, you will break the process. Verve has performed many projects where we needed to re-engineer historical tag store and forward to accommodate net new network architectures, data diodes and corporate initiatives to centralize data. This same need for context also enables (or hinders if not present) all other design and execution decisions. Which leads to my next point.
Asset inventory is not IP/MAC address and vendor
Asset inventory is a key contributor to all subsequent security practices in any successful industrial cyber security program. This is why Inventory is listed first in NIST CSF, why it is section numbers 1 and 2 in CSC20, and why NERC CIP lists it as the primary function for defining all other scope in the following sections.
Data and context of your inventory is required to make the ensuring decisions. You’ll need context far beyond a cursory view of simple IP and Mac address, vendor and some cursory information about OS or open ports/services. Again, it’s not enough to know you have jewelry in the house if you don’t know what kind of jewelry you have, what it’s worth, where it’s stored, and who has access. You wouldn’t protect cubic zirconia the same way you would protect a ruby.
Let’s discuss the concept of risk management in industrial control systems. Risk management is a broader view than vulnerability management, which focuses on patch management. While there are significant challenges with software patching in ICS, you must apply as many compensating controls as possible when patching is impractical. A compensating control could be disabling a guest account from remote desktop privileges. You must also reduce your risk footprint by removing unwanted, unnecessary, or risky software from the desktop. Why download the full Office suite when only Excel is required?
Second, when you articulate your risk via vulnerability mapping from threats to how your devices are configured (or just list outstanding patches), the raw number of risks is often overwhelming. Considering qualitative asset characteristics such as operational criticality, system location, redundancy, etc. significantly helps deduce true risk and influences resources (i.e., people, cash, tools, procedures), allocation and priorities.
The contextual indicators also help you strategize traditional tool deployments for protection from network architecture to how many and what kind of back up solution(s), anti-virus vs whitelisting or both, etc. Making protection decisions without proper context is like flying blind.
Asset inventory is not hard, slow or difficult
Another observation from the discussion is there is a lot of reluctance to dig into a detailed asset inventory because many think it is a daunting task. Indeed, we have consistently seen organizations of all sizes struggle to create and maintain a robust asset inventory of even the cursory data like IP addresses and model. But the reality is that there are more and more inventory tools available on the market today that make this misconception an opinion of the past.
Verve helped a customer monitor a fleet of coal-fired generation stations from a central support location in a single pane of glass. Their data from the most remotely protected relay to the data center located historians is never more than 15 minutes old. It takes initial planning, but once established, this insight powers upfront planning and roadmap development, as well as day-to-day maintenance and monitoring. It is truly an investment that provides returns for years to come.
Assumptions make an….
My final proof point for why asset inventory is the most important function of the NIST CSF to start with on your cyber security journey is due to recent market activity and observation. Many of us are vocal in our beliefs of where passive anomaly detection tools should be used in an ICS cyber security program, frustrated OT security types (or IT types trying to help) looked at the fragile nature of ICS, its complexity of topology, asset vintage and the sheer volume of assets in scope, and truly believe that asset inventory is too difficult.
As a result, a solution that promises inventory without manual collection or scan-based polling and is automated or real-time seems very compelling, which is why many have chosen to deploy passive anomaly detection tools. The challenge is that these tools were built for monitoring and detection, and the inventory is simply a happy by-product of their engineered intent.
A comprehensive, OT-context type of asset inventory is the most important starting point for any robust industrial cyber security program. Insight that enables intelligent, evidence-based decisions on everything from network segmentation to the selection and deployment of third-party security tools relies on solid inventory. Taking inventory of your assets allows you to protect them appropriately.
To hear more about the power and value of a robust, contextual inventory, check out our on-demand webinar that covers how to build an effective industrial cyber security roadmap.