Asset visibility in OT, ICS environments proves challenging as digital transformation reigns
Large industrial and manufacturing organizations are increasingly having to narrow their focus on establishing asset visibility into the business technology and OT systems. The heightened threat and risk level has also pushed organizations to adopt greater asset visibility to protect their ICS and OT environments from cybersecurity and ransomware attacks.
Asset visibility works towards providing the industrial and manufacturing organizations with insights into regular ICS and OT functions in a streamlined manner, so that appropriate decisions and necessary measures can be carried out. The data provide insights into the working of the organization, along with a detailed inventory of the assets, including their configuration status and the current version, and sketch out connections mapping between assets. Such details will enable organizations to validate asset lifecycles on retired and decommissioned assets, as well as identify those hidden rogue assets that have never been listed on the purchased asset spreadsheet.
However, industrial and manufacturing organizations face a couple of challenges when working towards creating asset visibility within their OT and ICS environments, which are their ‘crown jewels.’
Industrial and manufacturing facilities depend on strong physical security to maintain control over information that can be used to manipulate the contained processes, Keith Guidry, CTO at Sawblade Ventures, told Industrial Cyber. “This kind of control is difficult to maintain unless the facility is built to maintain process secrecy and integrity. That is a human problem. All security is a human problem. The tools only work in the hands of people who know how and where and why to use them,” he added.
Not knowing why an asset may be useful for a hack is the primary danger in a transparent presentation of assets, according to Guidry. “Asset visibility is a balancing act between operating convenience and system integrity. Human motivations will always drive toward greater flexibility and convenient use of assets. A paranoid security team will always push for greater control. Trust the security team first,” he added.
Many organizations struggle initially with developing an accurate asset inventory of the devices and equipment in their organization, Chris Grove, chief security strategist at Nozomi Networks, told Industrial Cyber. “This is primarily due to the lack of industrial control systems tools that can interpret the network traffic to parse the proprietary industrial protocols, or the tools are unable to communicate with the devices to query configuration-oriented information. Tools developed for IT systems can be woefully inadequate, and sometimes even unsafe to the operational technology used in ICS systems,” he added.
After the inventory challenge is solved, identifying strategic monitoring points on the network that can provide the necessary visibility is the next step, Grove highlighted. “Some of the challenges organizations face when starting to monitor ICS networks include understanding who does what when an incident is raised, as well as maintaining the necessary in-house knowledge required to identify a safe course of action in the midst of an incident,” Grove said.
Don Ward, senior vice president for global services at Mission Secure, told Industrial Cyber that operational technology networks are designed for up-time (resilience) and safety, so implementing technology necessary to monitor packet flows and/or actively poll/interrogate OT/ICS systems to build accurate asset inventories and
network mappings is not something readily accepted by the operational teams that run these environments.
“And even when approved, there are challenges gaining complete network depth visibility due to other technical constraints – such as encrypted and segmented network enclaves and/or host-based EDR agents blocking or masking probing access to system information,” Ward said.
In addition, active probing techniques can and do bring down OT/ICS systems and this creates even more pushback from clients, according to Ward. “Quite often there are challenges to placing collection devices in the network due to lack of port access or managed switch port mirroring capabilities/resource constraints. This does not totally prevent building out accurate asset visibility maps but can require more hands-on and evergreen/continuous lifecycle services offering with both people and technology,” he added.
From Mission Secure’s standpoint, there is no ‘set it’ and ‘forget it OT/ICS visibility solution’ in the market today per se, inclusive of anomaly detections and protections, Ward said.
Nozomi’s Grove said that OT/ICS network visibility and monitoring tools are now available from several vendors to help this problem. He was answering a question on how industrial and manufacturing environments can ensure effective asset visibility within their organizations, with the best asset inventory along with the capability of identifying subtle anomalies in behavior in real-time.
Guidry however does “not believe there are effective ways for organizations to provide best asset inventory along with behavior assessment.” If these kinds of technological methods are available, they will be expensive one-off adaptations and integrations available only to the largest corporations. “The easiest way to determine what assets should and should not be visible is to create a synthetic twin of your operations for study and destructive testing,” he added.
A digital twin of a process is the best way “to make sure your asset awareness covers the critical properties.” Greater detail will reveal places where a seemingly benign piece of knowledge in the hands of a malicious engineer can have significant damage to a process, according to Guidry. A twin need not be a functional model to be valuable. Just quantifying the process scale and interactions – especially with feedstock and external services – beyond the integrated facility is a way to see unseen external threats, he said.
“Gaps between process steps and information transformations are where an attack may insert or exfiltrate data into the process. The subject of digital twins is vast and valuable. It’s such an overlooked capability because its original embodiments were in hazardous industries and thus expensive replicas of dangerous running processes,” Guidry added.
‘Asset awareness’ is what every serious corporation should do with its operations.” Treat operations as though the business was locked in an irradiated room with nothing but the twinned process running in your instrument shop,” Guidry said. “The opposite of penetration testing is leakage testing. Path testing. Treating the business elements as though they are tools, machines, documents, trashcans used in a plutonium machine shop. That you cannot touch. But you must know intimately,” he added.
A key consideration as cybersecurity and ransomware attacks increase is as to who owns the risk that arises due to lack of asset visibility within OT and ICS environments.
This depends on the event itself, the organization, and the capabilities they possess, Grove said. “Some organizations have integrated IT/OT cybersecurity teams that handle incidents. Other organizations run their cybersecurity incident management from a Security Operations Center (SOC). If the entity has a public safety implication, the risk may be managed by the Safety Team, or a Risk Manager who is cognizant of the ramification of the risk, as well as any potential regulatory reporting requirements that may arise from the incident,” he added.
Ward said it really depends on the organization and how well defined and mature their processes and response protocols are instantiated, documented, and tested.
“It also has to do with GRC role mappings within organizations as it might be the Plant Manager/VP –or– with the IT-side CIO/CFO/CISO –or—a combination of multiple teams’ shared responsibility,” according to Ward. “Ultimately, we have found it to be shared internally as well as with their trusted OT/ICS security partners to be most effective. Security, whether in IT, OT, or at the intersections – is a lifecycle process with many interdependencies,” he added.
Risk to the general good created by poor asset visibility in a critical infrastructure or manufacturing facility belongs to the owner of the process, Guidry said. Every manufacturer must know the art and science required to operate properly or their product/process should be prevented from operating by oversight regulations. There is no excuse for not knowing an operating facility down to every nut and bolt along with a knowledge of how those nuts and bolts are applied and why allowing uncontrolled access to that particular nut and bolt is a risk – or not, he concluded.