Back in 2017 when we launched the OTbase software product, we were wondering how to label it. The initial idea was to call it an “OT management system”. That seemed to resonate with nobody. We then switched to “OT asset management software”, which was a little more intuitive because people could relate it to the well-established product category of IT asset management products.
Now, seven years later, the need for OT asset management has become obvious. More and more OT asset owners are starting their OT asset management journeys for real, replacing manually created Excel tables with a purpose-built solution with all the bells and whistles. It has become clear what OT asset management is, what it does, and what it doesn’t do. Let’s start with a definition:
OT asset management is the continuous determination if the properties of an organization’s digital OT assets match its stated needs and ambitions.
The first part of this definition basically relates to an evergreen OT asset inventory. The second part relates to an idea of where you want to be. That idea may include cyber security posture, OT product obsolescence, network segregation, standard software configurations, and more. An OT asset management system exposes the gap between what is and what should be and comes with workflow automation to help closing it.
An OT asset management system allows for automatic audits against stored policies. In this example: Don’t allow outdated operating system versions. A timeline shows progress in becoming compliant.
The major driver for OT asset management is not an alleged rise in cyber-physical attacks. It’s simply the much touted “digital transition” in OT. Over the last decade asset owners have connected millions of new OT devices to process networks, often in the absence of thorough planning. The resulting disorder is usually excused with the phrase that OT architectures had “grown organically”, which is nothing but conceding the absence of systematic planning.
Lack of structure may not be a problem when limited to a couple dozen devices, but where operations rely on tens or hundreds of thousands of such devices, it’s a train wreck that cannot be addressed by interns who record asset information in Microsoft Excel. As a result, OT asset owners find it increasingly difficult to impossible to assess their cyber security risk, conduct audits, follow up on automation vendor safety advisories, and plan for OT product obsolescence.
What are OT asset properties?
Let’s take a closer look at the core data items that go into an OT asset management system. OT asset properties come in three flavors:
Device properties: Make and model, hardware version, serial number, installed software or firmware, network connectivity.
Product properties: Known vulnerabilities, product lifecycle stage, software/firmware version currency.
Contextual properties: Geolocation, process function, OT system association (such as which machine line the asset belongs to), criticality, and maybe additional user defined variables.
The first two categories can be determined more or less automatically.
Technical characteristics of OT devices and their configurations can be identified by automatic discovery, something that the OTbase Discovery software does exceptionally well. However, manual entry of asset information without automatic discovery may still be required for devices that are not network attached but still need to go into the asset inventory. Therefore, the OT asset management system should support manual entry as well.
Once that technical device properties are known, product properties can be added automatically via metadata enrichment. Based on make, model, version, and installed software/firmware, known vulnerabilities (CVEs) can be determined automatically – and only then. By vendor product page lookup, other practically important items such as product lifecycle stage and current firmware version can be determined.
Most OT asset properties can be discovered automatically. Others, such as an asset’s geolocation, has to be added manually. However, that might just take a couple of minutes — including interactive floor maps.
Contextual properties – how the OT device is used in your environment – cannot be determined automatically. A device’s geolocation, its process function and criticality must be provided by human users. The quality of an OT asset management system determines how easy this input process is, and how contextual information is used to enrich workflows such as cyber risk management. So yes, manual labour is required. However it makes a big difference if context information is stored in a powerful database, or in some anecdotal Excel tables.
Finally, a crucial aspect of an OT asset inventory is the capability to establish device identity that persists over time and location. This allows users to pull a data record for a specific device. It is a prerequisite for seeing configuration changes over time, which is fundamental for various engineering use cases such as configuration integrity assurance.
From asset inventory to asset management
So far we have outlined the asset properties that are required for a useful OT asset inventory. For the management part, we need to add users and workflow automation.
An OT asset management system is used by multiple stakeholders in various departments and roles. This requires a solid access control capability (authorization levels) for the asset inventory. For example, a maintenance expert in plant A does not need to, and probably should not, see OT assets in plant B, or in the entirety of the enterprise. Access control makes sure that this requirement is fulfilled. In the OTbase OT asset management system, access control is linked to existing authentication platforms such as Active Directory.
User management also allows for tying users to artifacts such as specific reports, and to tasks. As an example, Bob may need to see “his” reports and remediation tasks right away, and those reports and tasks may be completely different from Alice’s. Bob may be interested in any configuration changes at conversion line 2 over the last week, when that quality problem emerged. Sara may be interested in how many Windows 7 instances are still running in the two Nebraska plants. John, Sara’s boss, may want to know if the global Windows 7 upgrade project is on schedule.
Granular access control is one of the most important requirements of an OT asset management system. In OTbase, access control and authorization can be linked to Active Directory.
While most users may have individual accounts in the OT asset management system and use it on a daily basis, other stakeholders may want to use OT asset information within existing enterprise applications and platforms. Examples include providing a CISO dashboard in Power BI, or a service management function in ServiceNow, facilitated by a full CMDB import from the OT asset management software. An OT asset management system without integration capabilities will not fly well in an enterprise context.
The role of OT asset management in OT security
Next let’s look at use cases, starting with OT security.
From a product and tools perspective, it could seem like the field of OT security has become synonymous with network anomaly detection, also referred to as threat detection or “ICS Detection”. How does that relate to OT asset management?
Network traffic and potential anomalies in network traffic are not asset properties. Threat actors aren’t either. Alerts per se aren’t a thing in OT asset management, where it’s about more or less static asset characteristics. And those asset characteristics, or properties as we called them earlier, cannot accurately be determined by the passive sniffing approach that is a hallmark of ICS Detection.
The NIST Cyber Security Framework makes it obvious for everyone that detection is just one small part of cyber security
But OT security extends beyond threat detection, as a quick glance at the NIST Cyber Security Framework will tell anybody. If you want to protect your OT assets against cyber attacks, and also if you should at some point in time need to respond to an actual cyber attack, you will find yourself lost without a solid asset management capability. Even threat detection can benefit from contextualizing alert information with asset data. Such data would tell a SOC analyst, for example, which asset the IP address associated with an alert belongs to, its process function, geolocation, security posture – all the context necessary for processing the alert.
Maybe the most prominent cyber security use case that absolutely requires an OT asset management capability is vulnerability management. If you don’t have accurate asset data, you won’t be able to identify known vulnerabilities (CVEs) for your installed base. If you do have this information, CVE matching can be done automatically, with precision and certainty. No anomaly detection needed. On the other hand, the information collected by passive scanning isn’t enough for reliable CVE matching, as you can see by only checking the probability ratings that ICS Detection products slap on CVE matches.
What about security patches? An OT asset management system shows you right away which of your Windows boxes haven’t seen a single patch for a year (insert your timeframe of choice). Or which software applications contribute most to your attack surface. Usual suspects include Adobe Flash, outdated Windows operating systems, Teamviewer, and MS Office. Which PCs should have antivirus installed but don’t? All this information is at your fingertips, for your company’s global installed base.
For a more preventive approach, an OT asset management system allows you to define configuration policies that assure homogenous deployments. Configuration homogeneity goes a long way to assure solid baseline security. Think about mandating that your engineering systems are equipped with an anti-virus product, and that CVE prone software such as Adobe Flash player must not be installed. Super simple to check with just a couple of mouse clicks.
Re-visiting cyber risk
What about risk management, a concept that is often stressed in OT security?
OT asset management is threat agnostic because threats are externalities, and fuzzy ones. But even without referring to threats, OT asset management gives you a solid foundation for risk management. Consider the following asset properties, all of which are vital for prioritizing your cyber security efforts without referring to threat intelligence:
- The criticality of OT assets. An engineering station for a safety system, for example, should be better protected than an office desktop in the electrical workshop. Criticality is one of the most important asset properties when it comes to risk management. It is usually assigned case based by engineers.
- The network exposure of OT assets. Assets exposed to the Internet have a higher likelihood of getting attacked than those which are hidden behind firewalls, DMZs, data diodes etc. The asset management system tells you what those assets are.
- The question if any vulnerabilities that affect your system have already been exploited, Known Exploited Vulnerabilities (KEVs), which also increases the likelihood parameter of your risk equation.
But there’s even more, because not all OT cyber risk is threat-based. Here are other types of OT cyber risk that were ignored for many years, just because they are less thrilling:
- The risk that you miss firmware updates that fix functional and safety issues that you had been informed about by the automation vendor in a product notification.
- The risk that ageing OT equipment becomes obsolete and replacement parts are no longer available when you need them.
- The risk that staff retires before having passed configuration knowledge to the next generation.
- The risk that vintage Windows computers crash due to resource exhaustion and cause downtime.
- The risk that critical OT systems are not backed up properly without anybody noticing.
- The risk that a well-intended PLC firmware update by a contractor (who didn’t inform you about it) resulted in quality problems or downtime.
Engineering use cases for OT asset management
The previously mentioned examples of cyber risk unrelated to malicious activity should have made it clear that there are several use cases for OT asset management that have little or nothing to do with cyber security. This risk is affecting every asset owner, no matter how active or lazy hackers and malware operators are.
Processing of vendor product notifications: Automation vendors regularly issue product notices and safety alerts that make customers aware of product deficiencies that must be fixed. These notifications regularly affect specific product and firmware versions. An OT asset management system helps the user to check if the organization has the affected products installed, and where.
Asset health tracking: Hard disk, memory, and CPU exhaustion isn’t a totally rare phenomenon in OT where lots of antiquated Windows PCs are still performing their tasks. The OTbase OT asset management software can detect these issues before they turn into application failures and downtime.
Configuration integrity monitoring: A configuration change might be well-meaning but yet counter-productive, as many asset owners have experienced already. Contractors installing new firmware versions, for example, have been the cause of downtime and quality issues. The OTbase OT asset management software detects and logs configuration changes, and notifies users accordingly.
Obsolescence management: OT devices in service for 20 years or more are not a rare occurrence, especially in the fieldbus realm. Obsolete devices can pose a serious business continuity risk. The OTbase OT asset management software informs users about product lifecycle status for hundreds of popular OT products and network switches.
Automatic network topology maps and IP address management: Most control engineers have lost control of their networks years ago, due to the constant rise of equipment that is networked. Hundreds of networks where there used to be only a few dozen is the new reality. And so is PLCs in the enterprise network, and a general lack of understanding of how networks connect with each other. OTbase creates automatic network topology diagrams and gets control engineers back in the driver’s seat.
Summary
With a wealth of solid use cases, each delivering demonstrable return on investment, OT asset management has become a product category in its own right. It has become too large and too valuable to be exercised as a bolt-on to OT security products as we know them.
Essential features of an OT asset management system include:
- Automatic discovery of the majority of the organization’s OT devices with their hardware and software/firmware configuration
- Ability to manually add devices to the database, as well as extending the data model with custom database fields
- Reliable identification of assets, allowing for the tracking of configuration changes over time, and the lookup of any device identified by its unique ID
- Ability to model functional superstructures (OT systems) such as machine lines, in order to document and understand device/system dependencies
- Detailed network information such as IP address lists and network topology diagrams
- Geolocation modelling with arbitrary granularity: Depending on the asset owner’s needs, it may be required to pinpoint an asset to a GPS lat/lon, site, building, floor, room, cabinet, …
- Granular access control: Depending on their role, some users may only need to see small parts of the asset data universe, whereas others must be able to see the full picture
- A reporting system that covers relevant artifacts for different use cases. The reporting system should include the capability to export to popular third-party apps like Excel, Visio, and Power BI
- Integration with enterprise applications and platforms
- Workflow automation for vulnerability management etc. that also ties people (users) to tasks and assets.
OT asset management is the foundation of OT security, because of the wildly understood fact that one cannot protect what one cannot see. An accurate OT asset inventory exposes OT assets and configurations where vulnerability mitigation yields more risk reduction than elsewhere. It also comes with workflow automation for systematic mitigation.
In addition to that OT asset management addresses engineering use cases outside of the cyber security realm. OT obsolescence management is a prime example. Another one is processing automation vendor safety advisories and product notices: You must be able to identify affected installations in order to act on flaws that might impact safety and business continuity. An OT asset management system achieves that.
The major driver for OT asset management is not the emergence of cyber threats. It’s the overboarding digital complexity in OT environments. Stakeholders need an appropriate tool to deal with this complexity, as it has become all too obvious that the go-to solution of choice – Microsoft Excel – isn’t this tool.
To learn more about the OTbase OT asset management software, check out https://ot-base.com.
Full product documentation: https://support.langner.com/hc/en-us
Videos: https://www.youtube.com/playlist?list=PLRuLtZMbkOljRY5eKuKAw3id6p8UBTXDO