What asset management really does is to give you a ton of valuable data about your OT infrastructure that makes it much more easy to maintain, protect, and troubleshoot your systems. It eliminates guesswork and lengthy investigations about the actual configuration of OT assets from firmware versions to VLAN IDs, be it for the purpose of system maintenance, or for cyber security.
And that’s where the real value of OT asset management comes in. Proper operation, maintainability and cyber security posture of OT assets depend on multiple variables such as software and network configuration details. Making this information easily accessible and subject to automated processing is the purpose of an OT asset management system. Thereby, it makes engineers, maintenance specialists, and cyber security experts more efficient.
For practical purposes, the best way to define an OT asset is a digital OT device, such as a PLC, RTU, sensor, actuator, network switch, operator panel, and so forth.
An asset inventory, which is the centerpiece of asset management, stores all the data that is available for OT assets. This data includes:
- Hardware make and model
- Serial number
- Hardware configuration, such as I/O modules connected to a PLC’s backplane
- Software configuration, including firmware or operating system version, installed applications, software components, and security patches
- Hardware and software product lifecycle status
- Physical location of a particular OT asset (such as site, building, floor, room, or cabinet)
- A brief description of what the asset does
- Association with a particular OT system, such as a production line or distributed control system
- Network connectivity
- Known cyber security vulnerabilities
- user defined tags
and several other properties.
In the OT-BASE OT Asset Management System, all this information is readily available for any asset by double-clicking on an entry in the device inventory, or by inputting the IP address of the asset in the quick search field.
Asset data can also be accessed by other software applications via a REST API.
Most OT asset data can be obtained automatically. This is accomplished by querying devices on the network using standard industrial protocols, such as Ethernet/IP, Modbus, or Profinet. Each of these protocols comes with commands to query device identity and configuration; a fact that is widely used by software products from the large automation vendors.
If you are familiar with “passive scanning” products you will notice that their discovery process is different because it relies on hardware appliances and realtime network traffic analysis. This approach is not used by the OT-BASE Asset Management System, and I’ll explain the differences in another video.
The OT-BASE OT Asset Management System discovers assets actively using a dedicated software component which is called OT-BASE Asset Discovery. This software, which technically is a Windows service, usually co-exists with other applications for example on engineering stations. Waking up every 24 hours, it periodically pulls
- Hardware make and model
- Serial number
- Hardware configuration
- Software configuration
- and Network connectivity
from the networks that it is connected to, which can be local or remote.
This basic asset information is then passed via the network to the OT-BASE Asset Center software where it is consolidated and made available to users and other software applications. The consolidation process may be quite complex if you consider multi-homed devices that are discovered using different protocols in different networks, however that’s something that the user doesn’t need to be concerned about. It all happens behind the scenes.
Knowing about IP addresses, hardware make and model, network topology etc. of your OT assets is nice, but it gets so much better with data enrichment. This is metadata that is attached to the core set of asset information. The result is what we call a deep asset inventory, as opposed to a flat one that contains only the bare minimum of technical data. Data enrichment makes an asset inventory so much more valuable because it is the glue that ties assets to use cases.
There are two sources for this metadata: First, automatic import and linkage, second, user input.
Perhaps the most important example for automatic import and linkage is Known Vulnerabilities for your installed base. The OT-BASE Asset Management System automatically downloads CVE data from NIST and matches it against your installed hardware and software products, taking into account any installed security patches.
Other metadata that is provided automatically is product lifecycle data for popular software and hardware products, and vendor links that allow you to navigate to the vendor’s product landing page with a click of the mouse.
When it comes to user provided data, think about device descriptions, user defined tags, or criticality ratings that add tremendous value to your asset inventory. However, the most basic and most valuable item in this context is the physical location of a device. Imagine an asset management system that would tell you all kinds of technical details about a particular asset, but not it’s exact location. That would be pretty much useless, wouldn’t it? In the OT-BASE OT Asset Management System, you can even go further and pinpoint an asset’s micro-location, such as a specific building, floor, room, or cabinet. A location can also be enhanced with additional metadata such as a picture, or an interactive floor map.
Here’s one of the most interesting aspects of OT asset management. No matter if you are a control engineer, an OT security expert, or a maintenance specialist: A solid OT asset management system is almost guaranteed to make you more efficient. That is, at least if your OT infrastructure is of a decent size, with hundreds of networks and asset numbers in the five or six digits.
For engineers and maintenance experts, the asset management system helps with
- change management
- lifecycle management and
Consider for example use cases in plant planning. When you are planning a new production line, you can have OT-BASE produce a baseline specification for the OT equipment for this new line with just a few mouse clicks, by cloning the OT configuration of an existing line and simply changing the details that are different. You can then export this baseline as an Excel file and provide it to the respective vendor or OEM. You can monitor progress by comparing the spec against actual installation. You can streamline the Factory and Site Acceptance Tests by having OT-BASE inform you about any discrepancies between spec and real life.
When you think about lifecycle management, wouldn’t it be great if you could see right away which hardware and software products that you are using for critical functions will become obsolete within the next twelve months or so? While you may be able to collect this information from vendors’ web sites, the OT-BASE OT Asset Management System includes this data for many vendors and exposes it automatically for your installed base.
For system maintenance experts, the OT-BASE OT Asset Management System provices answers to questions like these within seconds:
- When was the firmware changed for that PLC, RTU, or network switch that causes problems since last week?
- How is the digital configuration of this malfunctioning machine different from this similar one that runs flawlessly?
- or, are there any known problems with other devices of the same type, or with other installations of this software or firmware version?
Cyber security has become such an important use case in its own right that I will discuss it in a little bit more depth.
When viewed in the context of the NIST Cyber Security Framework, the role and value of asset management for OT security is predominantly about prevention. An OT asset management system helps to
- identify insecure endpoints, for example those with poor patch status and lots of critical vulnerabilities.
- It also allows to identify automation equipment exposed in the enterprise network, or on the Internet.
- Finally, it helps you to rank systems with known vulnerabilities by their risk score, which can be derived from the criticality of an asset and its network exposure.
The proactive nature of OT asset management is highlighted by the use of configuration baselines and compliance metrics. Think of a configuration baseline as of a standard configuration that your organization has defined for typical system types such as HMI stations. Baselines allow engineers and administrators to define how systems SHOULD be configured, for example which operating system or firmware version should run on given assets. Based on this information, the asset management system can easily point out any discrepancies that call for mitigation.
Asset data and metadata are also critical components for threat hunting. Let’s assume that your SIEM has detected some funny network traffic going to IP address x.x.x.x. This information doesn’t give you much to work with without any additional data on what the device is, such as a PLC or engineering station, and maybe additonal items such as criticality, location, and known vulnerabilities. This is usually called contexualization or data enrichment of observables.
OT vs. IT asset management
Finally, let’s break down how OT asset management is different from IT asset management, and why you can’t use IT asset management systems for OT.
IT professionals have been doing asset management for decades, so it would seem natural to simply extend or copy approaches and products used in the IT domain. However, it has never worked. Here are the most important reasons why:
- Network architectures and IP address schemes are different. It is not uncommon in OT to find substantially more complex network architectures than in IT. Many devices are homed in more than one network. Network addresses are sometimes reused in different subnets, making it impossible to use IP addresses as identifying attributes for a device.
- Next, common IT protocols such as SNMP are not sufficient to discover most OT devices. Instead, industrial protocols such as Ethernet/IP, Profinet, Modbus, SERCOS, ControlNet and others must be used, but these protocols are not available in IT asset management systems.
- Ownership profiles of OT assets are also different. In IT, it is assumed that an asset has a single owner. This assumption doesn’t hold for most OT assets. For example, an HMI station or a PLC usually is not owned by a single person, but by a team or even a whole department.
As a result, a dedicated OT asset management system is required to do the job. Having that said, data sharing between the OT asset management system and other IT applications and platforms is easy once that asset information is consolidated and normalized by the OT asset management system.
Let’s sum it all up.
Due to growing digital complexity in industrial automation, OT asset management has become a basic necessity for every asset owner. It allows engineers, administrators, and cyber security experts to command tens of thousands or even hundreds of thousands of OT assets by accurately keeping track of asset properties. Elaborate search queries, analytics, and the ability to attach user manuals and other files to devices boost enginnering and maintenance efficiency. The ability to share asset details with third parties such as vendors, OEMs and contractors is an added benefit.
A major push for OT asset management comes from cyber security because you obviously can’t protect what you don’t even know exists in the first place. Unless details about network topology and installed hardware and software product versions are available, systematic efforts to raise cyber security posture are impossible. When it comes to threat hunting, the asset management system provides context for IP and MAC addresses, which is sometimes the only information a SIEM would otherwise have.
If you want to learn more about how your organization can benefit from OT asset management, get in touch with us using the contact form on our web site.