Complete, Accurate Asset Information Is the Foundation for Secure Industrial Operations

Cybersecurity has never been more important or more challenging for manufacturers and critical infrastructure operators.

Cybersecurity has never been more important or more challenging for manufacturers and critical infrastructure operators.These organizations have become prime targets for ransomware and sophisticated nation-state attacks. Many are facing more stringent security compliance requirements. Most have limited security resources that struggle to maintain defenses and keep up with new risks being created by digital transformation efforts. Industrial companies need to be sure that their industrial control system (ICS) security programs can deal with these challenges. A single cyber incident could jeopardize safety, business continuity, and the organization’s survival. Inadequate attention to compliance requirements can lead to significant financial penalties and the loss of a facility’s license to operate. Complete, accurate asset information is essential for understanding control system cyber risks and the effectiveness of existing security practices. To be effective, asset information must include a complete listing of every system element, including endpoints and network components, as well as detailed information about each device’s hardware, firmware, and software configurations. Development and management of this information is time-consuming and requires a solution that automates data collection, detection of changes, and preparation of information for management and compliance. This paper describes the capabilities that end users should consider in developing an asset information strategy. A review of Industrial Defender’s solution is included to show how one industrial cybersecurity company helps companies meet these requirements.

ARC’s Industrial/OT Cybersecurity Maturity Model provides a useful tool for understanding and managing the status of industrial cybersecurity programs. This model provides a roadmap for implementing the security technologies and human resources needed to support the NIST cybersecurity framework recommendations.The steps in ARC’s model reflect the sequence that companies should follow in security technology investments. This ensures that solid, foundational capabilities are in place to support the requirements of subsequent steps. The colors in the model distinguish passive defensive measures that are needed to protect systems against conventional hackers, from the active defense capabilities needed for more sophisticated attacks. A key benefit of the ARC model is how it highlights the need to maintain alignment of people, processes, and technology capabilities. The effectiveness, or maturity, of a cybersecurity program is determined by the category with the lowest maturity score. ARC’s model also emphasizes the need for investments in asset information and cybersecurity management solutions to ensure that limited security resources can efficiently assess security posture, maintain defenses, manage attacks, and prepare management and compliance reports. Many companies have underestimated the importance of these capabilities and are operating critical facilities that remain at risk of serious cyber incidents.

ARC’s model shows how effective security programs are built through specific, incremental investments in people, process, and technology capabilities to achieve certain security goals. Decisions in each step rely on information collected in the initial Identify stage. This includes the information collected about devices, configurations, vulnerabilities, threats, and compliance requirements. Completeness and accuracy of this asset information has a direct impact on overall program effectiveness. For example, incomplete information limits the ability of detection solutions to provide actionable security alerts. So, defenders waste valuable time getting information that should have been readily available.Cybersecurity maintenance needs information to maintain defenses as new security risks emerge in the environment. Environmental risks are generally monitored through feeds from sources that report common vulnerabilities and exposures (CVEs), patch releases, and threat actor activity. But accurate, detailed asset information is also needed to evaluate relevance and develop appropriate responses. Defenders need accurate, detailed asset information to detect new risks that may emerge within systems through the actions of operators, maintenance personnel, or sophisticated attackers who evade facility defenses. Detecting changes in asset information is the only way of detecting many of these threats. Asset information completeness determines the kinds of threats that are detectable while frequency of data collection will determine how long these threats to facilities exist.Compliance reporting and governance are burdensome security areas that can distract security teams from their primary cybersecurity management responsibilities. Having convenient access to complete, accurate asset information that supports regulatory and governance requirements is essential to avoid degradation of security defenses. Given the critical importance of accurate, complete asset information ARC recommends that every industrial company ensure their asset information strategy supports the following requirements:

1. System Device Information: Complete, detailed information about every device involved in control system operation, including process controllers (PLCs, DCS, IEDs, etc.), user devices (HMIs, workstations, etc.), servers, and all active network devices. This should cover all the information that is relevant to understanding security status, selecting security defenses, and restoring devices in the event of a failure or compromise. This includes device identifiers; hardware, software, and firmware applications, versioning, and configuration settings; patch status; etc.2. System Communications Information: Complete, detailed information about connections and data flows that exist between system devices and external resources. This information should be adequate to enable selection and configuration of network security solutions during security program development, and the detection of unauthorized changes and anomalous communications during the security maintenance phase.3. System Changes and Events Information: Historical records of all changes and notable events that have occurred within the protected system. This includes information captured within system devices (syslogs, netflows, NAC credentials, etc.) as well as alerts generated by system security solutions. It should also include records of all changes detected by the asset information management system itself, like changes in PLC and DCS programs, firewall rules, etc.

1. Information Collection: Information collection should be automated to the maximum extent possible, with methods that allow frequent, non-disruptive detection of system changes. Passive network scanning methods are useful, but they don’t capture all the required information and don’t see isolated devices. Complete, accurate asset information requires a blend of data collection approaches that include intelligent active scanning to capture and monitor device configurations, agents within devices to capture anomalous activities, and bi-directional integration with other systems that can provide relevant asset information. Support for manual data collection is also necessary to collect information not amenable to auto data collection. This includes manual entry screens and ingestion of various kinds of data files (Excel spreadsheets, etc.)2. Information Storage: Asset information is a critical resource and needs to be stored in ways that ensure proper protection yet broad availability to authorized users. Storage strategies should support multiple copies, periodic time-stamped archival, and rapid restoration of systems from trustworthy backup information.3. Information Access: Convenient access to asset information is essential and needs to be supported for a variety of user perspectives and needs. Device lists by type and location are needed to plan patch deployments. But defenders also need rapid access to information through system maps and connectivity diagrams when they are responding to security alerts. 4. Security Management Support: Security management involves a variety of routine maintenance activities like evaluating Common Vulnerabilities and Exposures (CVEs), preparation of periodic compliance and management reports, and managing user privileges. Support for these kinds of activities should be included in the asset information system to minimize the workload of limited OT cybersecurity teams. There is a general shortage of these professionals and reducing time spent on non-critical tasks is key to ensuring that facilities address all the critical issues required to remain secure.

Industrial Defender is generally considered the first company to offer a cybersecurity management solution exclusively focused on industrial OT systems. In business since 2006, the company has developed a strong reputation for cybersecurity management in the power and process industries and has an extensive list of successful installations.

Industrial Defender OT Security Management Platform is purpose-built for industrial control systems and addresses the overlapping requirements of cybersecurity, compliance, and change management. This product provides the data collection and information management support that companies need through all phases of building and maintaining effective OT cybersecurity programs.

Accurate, complete asset data is essential for ensuring that industrial companies can defend systems against today’s challenging threat environment. Quick, convenient access to this information helps plants build and maintain effective cybersecurity programs. Our review of Industrial Defender’s Cybersecurity Management Platform shows that there are companies who can help you establish the asset information capabilities needed for effective OT cybersecurity programs. The biggest risk to your OT security is ignoring the urgency in addressing this critical issue.

Sid Snitkin is vice president, Cybersecurity Services at ARC Advisory Group. Sid's responsibilities include leadership of ARC's Industrial Cybersecurity practice, which develops products and services for protecting industrial facilities. Sid also supports ARC clients in Asset Lifecycle Information Management and the Industrial Internet of Things (IIoT).

Check out our free e-newsletters to read more great articles..