By Walt Boyes
When we last saw our intrepid maintenance lead cybersecurity chief, he was waking up in the middle of the night from dreams of being the little Dutch boy with his fingers in the dike. Now, his manager has told him that because of the worsening economic situation, there is no longer any budget for his cybersecurity consultants. “You ought to know enough by now,” the manager said, “to be able to do it on your own anyway.”
Spreadsheets are inappropriate for building OT asset inventories
So what is there to do? Our hero realizes that if he’s going to do it himself, he needs to know what he has to protect and what he has to protect it with. Oh, and get his maintenance engineering projects done too. He decides to go back to first principles. He digs out the as-built drawings and the P&IDs. To build his OT asset inventory, he starts populating Microsoft Excel spreadsheets based on what he thinks he has. He starts sending around questionnaires to the instrumentation engineers and to the control systems engineers to try to get them to verify what is on the as-builts or tell him what has changed and how.
Watch: OT asset inventory basics – Passive, active, and host-based OT asset discovery
Here is where he runs into problems. The Instrumentation engineers don’t have the time to check the as-builts against reality, and the P&IDs against what actually exists, so they give him as little as possible. Same with the control systems engineers. If he wanders around enough, he can see that Motor Control Center S1 is radically different than the as-builts, since it was rebuilt five years ago. He can try to update all the instruments that have been changed since the as-builts were “as built.” He can use a network sniffer program to see what is going on in his OT networks. But like the instrumentation and controls engineers, he has a real job, on which he is measured and rated—the maintenance supervisor role. When maintenance issues come up, and they come up frequently, our hero has to let something slide, so he lets his cybersecurity projects sit.
The wrong approach to OT asset inventories costs valuable engineering hours
So, he’s just not very happy with his OT cybersecurity efforts. He can’t reduce the attack surface until he can get a real handle on his OT assets. He can’t even tell what the attack surface is. He still uses the OT threat detection software the consultants sold him, but the threats keep happening. OT threat detection is reactive, not proactive, and there are always a large number of false positives.
Watch: OT vulnerability management made easy
He knows you can’t protect what you can’t see, which is why he started to chart his assets and his networks. But this is time-consuming, and it keeps dropping to secondary or tertiary importance when compared to maintenance projects that keep the plant running. Even starting with the as-builts and P&IDs isn’t really helpful because they are inaccurate and incomplete. Even if he has hardware specs, he isn’t sure what software or firmware is actually running on the field computing devices, PLCs, PCs, and network appliances. In some cases, the PLCs are so old that they don’t have storage, and they lose their programming when they shut off. In other cases, the software is so old that it has to be run on virtual machines. He can’t shut the plant down to do an assessment of his OT environment.
Our hero is in big trouble.
Struggling to develop a useful, comprehensive OT asset inventory? OTbase makes it easy for everyone. Visit langner.com.