More than two thousand years ago, ancient tactician Sun Tzu famously observed that, “if you know the enemy and know yourself, you need not fear the result of a hundred battles.” While the world looks radically different today, this principle still informs the basis of good cybersecurity – asset awareness. Indeed, securing industrial control systems begins with accurate self-knowledge and self-control. In OT terminology this translates to the twin principles of asset visibility and asset management. While often discussed in tandem each is distinct and ought to be seen as discrete stages in securing OT systems.
In general, the goal of asset visibility is to provide actionable information about ICS assets to security operators. The goal of asset management is to utilize that information to better secure the operational environment. In this sense, management and visibility are two sides of the same coin. You cannot secure what is not visible, and your visibility is only as useful as it is manageable. The purpose of this article is to explain each of these concepts in greater detail and provide perspective on the role, considerations, and importance of each. Recent exploits such as the Colonial Pipeline and JBS Meat Packing incidents stemmed in large part from weakness within one or both of these processes. Only through understanding the function and importance of both asset visibility and asset management can we guard against and prevent future security failures.
Asset visibility refers to the processes that aid in mapping the landscape of digital and physical devices within an organization. In the past, asset visibility frequently relied upon manual processes. It was necessary for visual assessments to be conducted and recorded manually. This process was slightly improved by digitizing records with tools such as Microsoft Excel. Either approach, however, is significantly antiquated by today’s standards and not able to meet the demands of a modern industrial environment. The required man hours and need to dynamically update visibility make manual processes obsolete. Instead, modern asset visibility is usually achieved by automated processes that fall into one of two broad categories: active or passive visibility.
Active visibility is conducted by sending packets throughout various industrial protocols in order to discover and index networking paths and the devices within them. Many OT systems, however, run on proprietary system languages that create obstacles for the automation of these methods. As a result, active visibility solutions must be able to robustly interact with disparate OT software protocols to be successful. Active’s biggest advantage is being able to control the frequency of data refreshes and the content. Often active is the only way to specifically obtain certain data values, like all the software, patches and uses on a HMI.
Passive visibility, on the other hand, relies upon reading network traffic and strategic locations across the OT network. Instead of generating network traffic, this method listens to an OT network to extrapolate network pathing and devices. While less effective in select circumstances, passive solutions have the advantage of limiting risk to normal operations. Active visiblity solutions that aren’t purpose-built for OT could carry operational risks through the probing traffic – this risk is not present within passive visibility solutions. The other advantage is near real-time monitoring for events happening in the network. While active allows you to control the frequency of the data collection, it can cuase gaps between when an event happens and when you see it. However, not all updates happen over the network, and passive can be completely blind to those actions.
In either paradigm, there is specific data that is important to see. Examples include IP addresses, physical locations, hardware/software vendors, lifecycle stage, vulnerabilities, and patch status. Understanding the landscape of your OT systems is the first and necessary step towards defending it.
Asset management on the other hand, refers to the processes of acting upon asset visibility data to update and secure digital and physical devices. Even in 2016, a survey of 200 utility executives listed asset management as an increasingly important aspect of operational technology security. With the recent and rapid rise of the Industrial Internet of Things (IIoT) and the larger Industry 4.0 movement, asset management has only increased in importance. The inclusion of IP connectivity into OT systems has increased the risks associated with OT assets and the subsequent need for robust management capabilities. Critical areas of management include patching vulnerabilities, lifecycle management, security event logging, and recovery capabilities.
Data received from visibility tools can be used by management solutions to check software and hardware instances against known exploits. Asset management solutions can also identify critical missing patches for vulnerability mitigation. In parallel, devices running legacy operating systems need to be identified since these systems are often no longer supported by manufacturers. Asset management solutions can help determine how to best isolate these devices from other network activity. In other cases, asset management can detect and flag anomalous activity received from a visibility solution and may be able to provide recovery services that can mitigate exploit damage.
OT asset visibility and management are thus distinct but equally indispensable aspects of industrial cybersecurity. Ensuring visibility and management solutions can work in parallel to make the data received actionable is crucial. A simple way to do this is to use a single tool that offers asset visibility and management in one place, with both active and passive options. The OT landscape is becoming increasingly complicated. Gaining situational awareness through asset visibility, and self-control through asset management, can prepare your OT systems to withstand a hundred cyber-battles.