Three trends that will shape OT/ICS asset management in 2020

Oct 31, 2019


A lot has been going on since we have introduced the OT-BASE Asset Management Platform, and 2019 was the year with the steepest learning curve. In this blog article we discuss which market trends we see for 2020, and how they shape our product strategy and roadmap for the OT-BASE Asset Management Platform.

Trend #1: “Passive Sniffing” becomes irrelevant for OT asset management

The reservations against active probing crumble as the drawbacks of a passive approach and the benefits of active have become clearly visible. Passive yields way too little data for arriving at a comprehensive picture of OT installations. Think about network topology, installed software applications / security patches / firmware and so on. All this information can be provided easily by an active solution.

Then there’s the cost factor of purchasing, installing, and maintaining the hardware required for passive solutions, which becomes a killer for large enterprises with hundreds or thousands of networks. Compare that to a software-only solution with centralized management, easy remote updates, and zero license cost per discovery node.

What is active probing, and how does it compare to passive sniffing? Watch this short educational video

The cost/benefit relation is so unequivocably favorable for active probing that it’s safe to say: You will either introduce an active OT asset management solution, or you won’t introduce one at all. (If you are still worried about unwanted side effects from active probing, do a fact check in your test environment using free evaluation software.)

Besides the technicalities of asset discovery, there’s a deeper conceptual difference between asset management and “ICS detection”. The detection camp implicitly or explicitly assumes a strong customer aversion against manual data entry. While this is true for asset configuration data, it ignores the fact that engineers still need — and want — to document stuff. Think about adding files to asset items, such as manuals or project backup files. Think about change management. Think about determining staff responsibilities for certain equipment, and all the other vital metadata you see in a real-world engineering and maintenance environment.

Long story short, the better an asset management solution fits into engineering and maintenance workflows, the more value it provides for an organization. And that value is tied to metadata that doesn’t come straight from network traffic or asset data, but is assigned to asset entries by bulk import, automatic update via API, or manual entry.

All this doesn’t mean that there would be no place left for “passive scanning”; it just ain’t asset management. Passive scanning has its merits for network anomaly / intrusion detection, a separate use case that can and should be integrated with asset management products. In an asset management solution, you would want to see any network events associated with your devices. In a SIEM environment, you will strongly benefit from the context that an asset management system can provide. With ubiqutous state of the art technology such as REST APIs, this type of integration can be accomplished in weeks rather than years.

See also: Dale Peterson on the future of ICS security products

Will ICS detection products simply broaden their scope to also include asset management on top of network anomaly detection?  That’s up to the market to decide. It’s the question whether customers prefer a one-does-all solution over different best-of-breed products talking to each other. Compared to IT, it would mean that companies wouldn’t use SolarWinds, Splunk, and ServiceNow (substitute with Qualys, QRadar, Maximo…), but one fat solution that does it all. Well, it didn’t happen in IT, which might lower the odds that the concept could fly in OT.

Trend #2: OT security turns into a data science
Not long ago, OT security was characterized by vague and often subjective risk assessments. (Why subjective? Because every time assessment results were presented to upper management, they disagreed on risk levels, right?) These assessments were usually based on random walkdown inspections, coupled with hypotheses of what the full picture might look like, and spiced up with worst-case assumptions about attacker intentions and capabilities.

Now fast-forward to today where you can see, and process, OT configuration details down to the most minute detail.

The important part here is the data processing. Imagine that for tens of thousands of OT devices, you can list those with outdated or soon-to-be-outdated operating systems right away. You can analyze the dispersion of firmware versions for switches, PLCs etc. You can also analyze behavioral data such as patch consistency. You can see exactly where a specific critical patch is missing. You get exact data on patch and AV update latency. Systems with no malware protection. Etc. pp.  

Also read: An information security metrics primer by Daniel Miessler

All of this is not science fiction, it can be done today. It means that OT security conclusions will less be derived from fuzzy assessments but more from hard facts. Ever heard about the desire for metrics? An asset management system can give you more metrics than you had asked for. You can even invent and calculate your own metrics because OT-BASE allows you to process raw configuration data in a standardized JSON format.

Portable Inventory Data means the capability to access raw configuration data in the JSON format, either as a flat file or via REST API
And it gets better. Remember what the most time-consuming, and thus expensive part of a risk assessment was? Determining the status quo. With OT asset management, this is already taken care of. Your next risk assessment can proceed directly to data analysis and interpretation without having to spend weeks or months on data collection.

Since no walk-down inspection is needed, those consultants don’t neven need to come on site. With access to your asset data, they can produce a report without ever having enjoyed the amenities of your conference room. This also means that travel cost is no longer a factor for consulting projects, and that all of a sudden you have the liberty to contract the best or cheapest consultant rather than the one within convenient travel distance.

If you are a consultant, the outlook isn’t too shabby either, because with the benefits of off-site data analytics, you can expand your customer base globally. Show clients that you are the best in your niche without wasting the bulk of project time on airports.

Trend #3: The driver for OT asset management shifts from OT security to engineering efficiency
You may have heard it many times: You can’t protect what you don’t know. You can’t even determine risk for what you don’t know. Hence, all systematic OT security efforts start with an asset inventory. But as the introduction of an OT asset management system progresses, users start to see value in different areas.

Also read: Bound to fail: Why cyber security risk cannot be “managed” away by Ralph Langner and Perry Pederson

Surprise! The big tangible wins for OT asset management are in engineering and maintenance efficiency. Control engineers benefit from:

  • detailed and up-to-date configuration data (firmware versions, network connectivity, data flow, installed software, …)
  • capability to compare de-facto configuration to what is planned
  • standardization of preferred configurations because now you can see what you have and compare it against policy-defined baselines.

Catering to engineering use cases is not bad news for OT security. Actually, it’s quite the opposite. If you have been around for a while in OT, you know that the business case for security is hard to make, because hypothetical cyber attacks don’t affect a company’s bottom line. And hypothetical attacks is what we are talking about — luckily.

The smart strategy is to introduce cyber security controls that actually provide tangible value for affected users on the plant floor, rather than making their lives harder (a sure recipe for failure). For this new approach that focuses on operational and tangible benefits rather than trying to force security controls on to plant floor personnell, we have coined the term Lean OT Security.

Lean OT Security is based on the insight that OT security will only succeed if it adds value to engineering use cases. Learn about the concept in this video.
This trend might well become the major driver for increased OT security, even if hidden behind efficiency gains. But who would have a problem with that.
Conlusion
OT asset management and ICS security products are undergoing rapid change, rooted in better understanding of what technology can do and what actually provides value for various use cases and stakeholders.

  • The debate whether active or passive detection is better for developing an ICS asset inventory is decided and the trophy goes to active, while passive will protect its niche for intrusion detection.
  • Asset management will boost OT protection efforts as it turns OT security into a data science with an abundance of metrics. Guesswork will be replaced with data.
  • Even where introduced for OT security, the biggest wins for OT asset management will be in the area of engineering efficiency. Security will not suffer, but benefit from this.

Learn more about our OT-BASE Asset Management Platform here:

Product landing page >

Download the evaluation software >

Product videos on Youtube >


Three trends that will shape OT/ICS asset management in 2020

Oct 31, 2019


A lot has been going on since we have introduced the OT-BASE Asset Management Platform, and 2019 was the year with the steepest learning curve. In this blog article we discuss which market trends we see for 2020, and how they shape our product strategy and roadmap for the OT-BASE Asset Management Platform.

Trend #1: “Passive Sniffing” becomes irrelevant for OT asset management

The reservations against active probing crumble as the drawbacks of a passive approach and the benefits of active have become clearly visible. Passive yields way too little data for arriving at a comprehensive picture of OT installations. Think about network topology, installed software applications / security patches / firmware and so on. All this information can be provided easily by an active solution.

Then there’s the cost factor of purchasing, installing, and maintaining the hardware required for passive solutions, which becomes a killer for large enterprises with hundreds or thousands of networks. Compare that to a software-only solution with centralized management, easy remote updates, and zero license cost per discovery node.

What is active probing, and how does it compare to passive sniffing? Watch this short educational video

The cost/benefit relation is so unequivocably favorable for active probing that it’s safe to say: You will either introduce an active OT asset management solution, or you won’t introduce one at all. (If you are still worried about unwanted side effects from active probing, do a fact check in your test environment using free evaluation software.)

Besides the technicalities of asset discovery, there’s a deeper conceptual difference between asset management and “ICS detection”. The detection camp implicitly or explicitly assumes a strong customer aversion against manual data entry. While this is true for asset configuration data, it ignores the fact that engineers still need — and want — to document stuff. Think about adding files to asset items, such as manuals or project backup files. Think about change management. Think about determining staff responsibilities for certain equipment, and all the other vital metadata you see in a real-world engineering and maintenance environment.

Long story short, the better an asset management solution fits into engineering and maintenance workflows, the more value it provides for an organization. And that value is tied to metadata that doesn’t come straight from network traffic or asset data, but is assigned to asset entries by bulk import, automatic update via API, or manual entry.

All this doesn’t mean that there would be no place left for “passive scanning”; it just ain’t asset management. Passive scanning has its merits for network anomaly / intrusion detection, a separate use case that can and should be integrated with asset management products. In an asset management solution, you would want to see any network events associated with your devices. In a SIEM environment, you will strongly benefit from the context that an asset management system can provide. With ubiqutous state of the art technology such as REST APIs, this type of integration can be accomplished in weeks rather than years.

See also: Dale Peterson on the future of ICS security products

Will ICS detection products simply broaden their scope to also include asset management on top of network anomaly detection?  That’s up to the market to decide. It’s the question whether customers prefer a one-does-all solution over different best-of-breed products talking to each other. Compared to IT, it would mean that companies wouldn’t use SolarWinds, Splunk, and ServiceNow (substitute with Qualys, QRadar, Maximo…), but one fat solution that does it all. Well, it didn’t happen in IT, which might lower the odds that the concept could fly in OT.

Trend #2: OT security turns into a data science
Not long ago, OT security was characterized by vague and often subjective risk assessments. (Why subjective? Because every time assessment results were presented to upper management, they disagreed on risk levels, right?) These assessments were usually based on random walkdown inspections, coupled with hypotheses of what the full picture might look like, and spiced up with worst-case assumptions about attacker intentions and capabilities.

Now fast-forward to today where you can see, and process, OT configuration details down to the most minute detail.

The important part here is the data processing. Imagine that for tens of thousands of OT devices, you can list those with outdated or soon-to-be-outdated operating systems right away. You can analyze the dispersion of firmware versions for switches, PLCs etc. You can also analyze behavioral data such as patch consistency. You can see exactly where a specific critical patch is missing. You get exact data on patch and AV update latency. Systems with no malware protection. Etc. pp.  

Also read: An information security metrics primer by Daniel Miessler

All of this is not science fiction, it can be done today. It means that OT security conclusions will less be derived from fuzzy assessments but more from hard facts. Ever heard about the desire for metrics? An asset management system can give you more metrics than you had asked for. You can even invent and calculate your own metrics because OT-BASE allows you to process raw configuration data in a standardized JSON format.

Portable Inventory Data means the capability to access raw configuration data in the JSON format, either as a flat file or via REST API
And it gets better. Remember what the most time-consuming, and thus expensive part of a risk assessment was? Determining the status quo. With OT asset management, this is already taken care of. Your next risk assessment can proceed directly to data analysis and interpretation without having to spend weeks or months on data collection.

Since no walk-down inspection is needed, those consultants don’t neven need to come on site. With access to your asset data, they can produce a report without ever having enjoyed the amenities of your conference room. This also means that travel cost is no longer a factor for consulting projects, and that all of a sudden you have the liberty to contract the best or cheapest consultant rather than the one within convenient travel distance.

If you are a consultant, the outlook isn’t too shabby either, because with the benefits of off-site data analytics, you can expand your customer base globally. Show clients that you are the best in your niche without wasting the bulk of project time on airports.

Trend #3: The driver for OT asset management shifts from OT security to engineering efficiency
You may have heard it many times: You can’t protect what you don’t know. You can’t even determine risk for what you don’t know. Hence, all systematic OT security efforts start with an asset inventory. But as the introduction of an OT asset management system progresses, users start to see value in different areas.

Also read: Bound to fail: Why cyber security risk cannot be “managed” away by Ralph Langner and Perry Pederson

Surprise! The big tangible wins for OT asset management are in engineering and maintenance efficiency. Control engineers benefit from:

  • detailed and up-to-date configuration data (firmware versions, network connectivity, data flow, installed software, …)
  • capability to compare de-facto configuration to what is planned
  • standardization of preferred configurations because now you can see what you have and compare it against policy-defined baselines.

Catering to engineering use cases is not bad news for OT security. Actually, it’s quite the opposite. If you have been around for a while in OT, you know that the business case for security is hard to make, because hypothetical cyber attacks don’t affect a company’s bottom line. And hypothetical attacks is what we are talking about — luckily.

The smart strategy is to introduce cyber security controls that actually provide tangible value for affected users on the plant floor, rather than making their lives harder (a sure recipe for failure). For this new approach that focuses on operational and tangible benefits rather than trying to force security controls on to plant floor personnell, we have coined the term Lean OT Security.

Lean OT Security is based on the insight that OT security will only succeed if it adds value to engineering use cases. Learn about the concept in this video.
This trend might well become the major driver for increased OT security, even if hidden behind efficiency gains. But who would have a problem with that.
Conlusion
OT asset management and ICS security products are undergoing rapid change, rooted in better understanding of what technology can do and what actually provides value for various use cases and stakeholders.

  • The debate whether active or passive detection is better for developing an ICS asset inventory is decided and the trophy goes to active, while passive will protect its niche for intrusion detection.
  • Asset management will boost OT protection efforts as it turns OT security into a data science with an abundance of metrics. Guesswork will be replaced with data.
  • Even where introduced for OT security, the biggest wins for OT asset management will be in the area of engineering efficiency. Security will not suffer, but benefit from this.

Learn more about our OT-BASE Asset Management Platform here:

Product landing page >

Download the evaluation software >

Product videos on Youtube >