Trend #1: „Passive Sniffing“ becomes irrelevant for OT asset management
Then there’s the cost factor of purchasing, installing, and maintaining the hardware required for passive solutions, which becomes a killer for large enterprises with hundreds or thousands of networks. Compare that to a software-only solution with centralized management, easy remote updates, and zero license cost per discovery node.
What is active probing, and how does it compare to passive sniffing? Watch this short educational video
Besides the technicalities of asset discovery, there’s a deeper conceptual difference between asset management and „ICS detection“. The detection camp implicitly or explicitly assumes a strong customer aversion against manual data entry. While this is true for asset configuration data, it ignores the fact that engineers still need — and want — to document stuff. Think about adding files to asset items, such as manuals or project backup files. Think about change management. Think about determining staff responsibilities for certain equipment, and all the other vital metadata you see in a real-world engineering and maintenance environment.
Long story short, the better an asset management solution fits into engineering and maintenance workflows, the more value it provides for an organization. And that value is tied to metadata that doesn’t come straight from network traffic or asset data, but is assigned to asset entries by bulk import, automatic update via API, or manual entry.
All this doesn’t mean that there would be no place left for „passive scanning“; it just ain’t asset management. Passive scanning has its merits for network anomaly / intrusion detection, a separate use case that can and should be integrated with asset management products. In an asset management solution, you would want to see any network events associated with your devices. In a SIEM environment, you will strongly benefit from the context that an asset management system can provide. With ubiqutous state of the art technology such as REST APIs, this type of integration can be accomplished in weeks rather than years.
See also: Dale Peterson on the future of ICS security products
Will ICS detection products simply broaden their scope to also include asset management on top of network anomaly detection? That’s up to the market to decide. It’s the question whether customers prefer a one-does-all solution over different best-of-breed products talking to each other. Compared to IT, it would mean that companies wouldn’t use SolarWinds, Splunk, and ServiceNow (substitute with Qualys, QRadar, Maximo…), but one fat solution that does it all. Well, it didn’t happen in IT, which might lower the odds that the concept could fly in OT.
Now fast-forward to today where you can see, and process, OT configuration details down to the most minute detail.
The important part here is the data processing. Imagine that for tens of thousands of OT devices, you can list those with outdated or soon-to-be-outdated operating systems right away. You can analyze the dispersion of firmware versions for switches, PLCs etc. You can also analyze behavioral data such as patch consistency. You can see exactly where a specific critical patch is missing. You get exact data on patch and AV update latency. Systems with no malware protection. Etc. pp.
Also read: An information security metrics primer by Daniel Miessler
All of this is not science fiction, it can be done today. It means that OT security conclusions will less be derived from fuzzy assessments but more from hard facts. Ever heard about the desire for metrics? An asset management system can give you more metrics than you had asked for. You can even invent and calculate your own metrics because OT-BASE allows you to process raw configuration data in a standardized JSON format.
Since no walk-down inspection is needed, those consultants don’t neven need to come on site. With access to your asset data, they can produce a report without ever having enjoyed the amenities of your conference room. This also means that travel cost is no longer a factor for consulting projects, and that all of a sudden you have the liberty to contract the best or cheapest consultant rather than the one within convenient travel distance.
If you are a consultant, the outlook isn’t too shabby either, because with the benefits of off-site data analytics, you can expand your customer base globally. Show clients that you are the best in your niche without wasting the bulk of project time on airports.
Also read: Bound to fail: Why cyber security risk cannot be „managed“ away by Ralph Langner and Perry Pederson
Surprise! The big tangible wins for OT asset management are in engineering and maintenance efficiency. Control engineers benefit from:
- detailed and up-to-date configuration data (firmware versions, network connectivity, data flow, installed software, …)
- capability to compare de-facto configuration to what is planned
- standardization of preferred configurations because now you can see what you have and compare it against policy-defined baselines.
Catering to engineering use cases is not bad news for OT security. Actually, it’s quite the opposite. If you have been around for a while in OT, you know that the business case for security is hard to make, because hypothetical cyber attacks don’t affect a company’s bottom line. And hypothetical attacks is what we are talking about — luckily.
The smart strategy is to introduce cyber security controls that actually provide tangible value for affected users on the plant floor, rather than making their lives harder (a sure recipe for failure). For this new approach that focuses on operational and tangible benefits rather than trying to force security controls on to plant floor personnell, we have coined the term Lean OT Security.
- The debate whether active or passive detection is better for developing an ICS asset inventory is decided and the trophy goes to active, while passive will protect its niche for intrusion detection.
- Asset management will boost OT protection efforts as it turns OT security into a data science with an abundance of metrics. Guesswork will be replaced with data.
- Even where introduced for OT security, the biggest wins for OT asset management will be in the area of engineering efficiency. Security will not suffer, but benefit from this.
Learn more about our OT-BASE Asset Management Platform here: