By Walt Boyes
Congratulations! Along with your other responsibilities as Maintenance Engineer, your boss has just appointed you OT Cybersecurity lead. So now you have to find time and budget for cybersecurity. What do you do first? You look around for companies that say they can make your plant cyber-secure. They all promise the same things. They are going to harden your network against intrusion. They are going to install new firewalls and security devices. You give them the go-ahead, and they start telling you how much safer you are now.
Cybersecurity Vendors promise security. What you get is a false sense of it.
But how do you know that? The attacks you know about are primarily phishing for personal information and passwords. You have to do vulnerability scans. You have to patch every Tuesday. But what if you can’t?
You know from your maintenance rounds and logs that you have some devices that are no longer patchable, and you can’t replace them because they are running programs and software that are no longer supported, but you need them to run your plant. Replacing them when they are working fine is a decision above your pay grade because you have to shut down that part of the plant to do it. Your cybersecurity company can’t help you because they are focused on network security and threats from outside the network.
Good luck building a manual OT asset inventory.
You try to create an OT asset inventory, but the operations staff is too busy to help you in any meaningful way. So, as you do rounds, you write down device names, and model and manufacturer if you can read the tags.
Watch – OT asset inventory basics: OT device and network identity
Then one day you spot something weird—a little box with lights sitting in the back of a control panel. You squeeze back there and see that it is a radio modem connected to the control panel, and its signal goes somewhere. You ask your instrumentation crew about it, and they tell you that it’s been there since the last rebuild. The control panel manufacturer left it so they can do troubleshooting remotely. You just stare at it as if it were a snake. Here’s a way into the plant that you and your cybersecurity company didn’t know about.
Your spreadsheet won’t save you. It can’t even tell you what you’ve got.
The plant manager asks you for a proposal to replace non-secure devices, so you try to put together an Excel spreadsheet with all your devices on it. You can’t tell which are non-secure from the data you’ve collected. Some of them have been patched. Some of them need firmware upgrades, but you don’t know which. Some devices don’t have software- they are hardwired, or they have only firmware. Some use antiquated data buss technology that is over fifty years old. More than a few of the devices in your plant are covered with dirt, dust, and paint. Others are sitting thirty feet up on catwalks. You need a hot work permit to even enter the area where some devices are.
You start waking up in the middle of the night. Your cybersecurity company keeps billing you, and nothing very bad has happened—that you know about. You keep feeling like the little Dutch boy out of the legend, who sticks his finger in the dike, saving the city. But the dike keeps springing new holes, and you only have ten fingers and ten toes.
What are you going to do?
Every OT security journey begins with an OT asset inventory. Learn more about OTbase.