By Walt Boyes
What we know is that we can’t manage OT asset vulnerabilities from the vulnerability side of the equation. We know that doesn’t work, because the vulnerability space is continuously shifting and morphing as even more vulnerabilities are discovered. Where we must start is with the assets we have control over.
The necessity of an OT asset inventory
The first thing to do is to figure out what those assets are. We need to create a robust actual OT asset inventory. But we can’t just make a list of devices. When a plant is built and turned on, a complete infrastructure inventory is created. It is usually called an “as-built” inventory. Less than one second after the plant is turned on, the “as-built” information is no longer valid. So, relying on as-built information won’t lead to an OT asset inventory that you can rely on.
Why does this happen? All of the energy, intention, and people are focused on producing products from the plant and not on the changes to the OT infrastructure and assets that help produce that product. You and your staff are incentivized to run the plant to make products and profits.
Webinar: Contextualizing an OT asset inventory
OT vulnerability management supported by an OT asset inventory
The only part of the operation you have control over is the OT asset inventory. You can’t inventory the potential vulnerabilities because you don’t know what they are and when you’ll find another zero-day vulnerability. This is a real conundrum for OT managers.
What you need is a tool. You need a fully automated tool to assess and keep the OT asset inventory up-to-date and evergreen. The tool needs to be continuously updated. It must have the ability to allow you to add context like ISA95 hierarchy, geolocation, and more metadata.
Your tool needs to report all of the devices that are or are becoming obsolete so you can produce a replacement strategy. If you just let your 1975 GE Model One PLC continue to operate, when it stops running, so does the production line it is running. Now, you have a bigger problem than just replacement—you have a business continuity problem.
You can use an up-to-date OT asset inventory to help you decide which of the myriad vulnerability notices you need to pay attention to and in what order. Rank your vulnerabilities by the type and number of assets they affect, and you now have an orderly method of OT vulnerability management.
Watch: Inspecting CVE events in OTbase
The team that cracked Stuxnet has built just such a tool. It is called OTbase, and you can use it to do everything we’ve been discussing. It automatically and continuously updates your OT assets and asset documentation and contextualizes your asset information. OTbase is designed to give you the OT asset management base from which to deploy smart, reliable, and functional OT cybersecurity practices. OTbase will keep your OT asset inventory current, even keeping metadata like software revision numbers and change management correct.
Click here to learn more about OTbase.
This is the fourth article in a four-part series. Click here to read Part 1, Part 2, and Part 3.