By Walt Boyes
This is part of a blog series. Please read Part I and Part II here.
When last we left our hero, he was juggling maintenance issues and cybersecurity, and trying to create an OT asset inventory with Excel and SQL. He bought and installed an ICS detection product from his erstwhile cybersecurity consultant. That didn’t really work either, because it only gave him residual data from network anomaly detection.
The fact is that building a useful OT asset inventory cannot be accomplished using a spreadsheet application or an ICS detection product. A useful OT asset inventory requires a purpose-built and dedicated tool.
As it turns out, having a contextualized OT asset inventory is the basis for multiple use cases in cybersecurity, engineering, and maintenance.
Suddenly, our hero has found some hope. He heard about and downloaded The OT Asset Inventory Handbook from OTbase. “This handbook is not another fluffy sales brochure,” he read.
Why is an OT asset inventory so important? It is an absolute necessity because a system of record is necessary for a number of use cases, such as OT vulnerability management (you can’t tell if you have vulnerabilities if you don’t know what you have), obsolescence management, and configuration management.
Watch: OT vulnerability management made easy
So why is our hero (and some of you, if you’ll admit it) struggling so hard with this?
First, he is, as we have seen, using inappropriate tools. Maybe you are too.
Second, he is missing a crucial aspect of a useful OT asset inventory: contextual metadata. Context is crucial to success. You can’t build an evergreen OT asset inventory with just IP addresses and model names. You have to have a tool that automatically captures technical data like MAC addresses and device serial numbers.
“If you use inappropriate tools,” our hero read, “you will get underwhelming results. When you consider the tools commonly used in OT asset inventory building, it’s a bit like watching a sculptor using a sledgehammer.”
Our hero has already made the most common mistake by using Excel for his inventory. Excel is a manual application, he found, and somebody must be assigned (remember our hero is a one-man department) to visually inspect and enter the data. If you instruct your instrumentation and maintenance people to collect serial numbers and firmware versions for all I/O modules in all PLC racks, you will get superficial information that is possibly transcribed wrong and will become outdated as soon as somebody makes a change to the devices. The file is generally stored on somebody’s computer (our hero’s), and there is no access control or version control, and often a version conflict can be created. You have no “single source of truth” to validate the OT asset inventory. There is generally no device identity, and our hero realizes that he’s missing crucial details that nobody bothered to record, such as what the asset is, and where it is geolocated.
Watch: OT asset inventory basics – OT device and network identity
Remember, our hero thought he was doing a good thing by installing an ICS detection product. ICS detection is focused on identifying cyber threats to ICS systems. The information is ambiguous and pretty basic. The ICS detection systems are designed to passively sniff OT assets. This provides some basic information but no context. Also, there is no device identity because passive sniffing only reports IP addresses without noting that there can be many duplicates in an OT network. ICS detection systems are limited to IT/OT networks, and fieldbus devices are generally invisible and not covered. In OT asset inventories, that misses a lot of devices that are on ControlNet, DeviceNet, SERCOS, Profibus, Fieldbus, and even HART enabled devices. It completely misses most wireless instruments and devices that are HART or ISA100. There is no network data. ICS detection systems don’t inventory networks, port lists, or generate network topology maps. And there is no metadata enrichment.
Our hero keeps reading avidly. If you have a problem like our hero’s, you should read this book too. Click here to download the OT Asset Inventory Handbook.