5 Benefits of Asset Inventory Management for OT
Real-world experience indicates significant benefits to embracing endpoint management in OT environments.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
Imagine acquiring a business without understanding its intricacies. You’d need to perform adequate due diligence to determine the true value of the organization and understand where there are risks.
What if we were to purchase a used car or assess appropriate maintenance for it? We’d look at its general condition, book value, potential future worth, and the state of consumables. We’d also determine if there are other items that would pose a risk to ourselves and others, such as heavily rusted structural elements or irresponsive steering.
Based on what we find, we choose to either abandon this asset (car) or remediate the risks (e.g., seeing the mechanic, scheduling a visit, and getting work done).
In critical infrastructure, asset risk prioritization is a component of enterprise asset management with the goal of ranking OT assets by two dimensions: 1) the criticality of that asset to an organization’s operations, and 2) the potential cyber security risk exposure of the asset. Prioritizing industrial assets based on risk is important for determining decisions on improvements, maintenance, related projects and investments.
It is critical to independently assess these two components of prioritization in OT. Some assets may have a high exposure score, but just are not that critical to the process, while others even with a lower exposure score should be prioritized because of their criticality to the process. This is particularly critical in OT because of the challenges that come with vulnerability management and remediation.
Although this seems logical, putting it into practice has many challenges:
Determining the priority of asset management based on related risks is an involved process. Assuming you have obtained enough quality asset information and have a reasonable understanding of your organization’s industrial control systems in general, technology can be used to relieve some of those burdens; especially for organizations just beginning their cyber security journey.
The above process is very challenging to do manually. Technology is a key requirement in achieving robust OT asset risk prioritization. While no single silver bullet solution determines your cyber risks absolutely, it is important to a) automate the asset information/inventory process in a way that can provide the richest set of asset information available, b) integrate your organization’s expert information and defined process, and c) enable calculated blended risk scores of criticality and exposure, including multiple sources of data (i.e. results from NERC CIP audits, Cyber PHAZOPs, and other third-party assessments) so the findings and concerns are considered within the platform.
It isn’t a replacement for an organization properly assessing relevant threats, but on the contrary, it allows an organization to move from awareness of risks or threats to a more relevant risk prioritization model that is repeatable and always evolving.
3 pieces of advice for a technology-enabled risk management approach
Here at Verve, we have worked for the past dozen years to ensure industrial customers gain visibility into the prioritization of the risks to their assets. Our experience has taught us several things:
Perhaps the biggest challenge organizations have is the lack of deep visibility of the endpoints on the network. We refer to this as 360-degree visibility. Often organizations rely on manual inventory which is often either only samples or outdated. Others rely on passive solutions to infer information based on what is traversing the networking.
Both of these do not provide the level of detail required to really capture a 360-degree risk assessment of the asset. This would include items such as full software inventory (even those not running or communicating over the wire), full patch status, all accounts and users, configuration information, antivirus signature updates, backup status, etc.
In theory, passive is a low-risk way to get an initial understanding of an industrial environment, but it has limitations on what it can see and interpret.
Over the years, we have seen clients attempt to manually keep track of asset criticality and asset exposure. In some cases, they used spreadsheets or traditional asset management tools to track criticality scores. In others, they used IT-oriented scanning tools to try to capture vulnerability information from those devices which can be safely scanned.
In all these cases, the complexity and lack of visibility led to outdated or incomplete data. The technology must gather comprehensive views of all assets and exposures, even those which cannot be scanned.
Further, it must calculate scores in real-time based on both information gathered directly from the asset (e.g., has it just been patched or has antivirus just been updated), as well as the “tribal” knowledge from OT resources as to the asset’s criticality.
Effective OT asset risk prioritization software will include both of these. Most importantly, the development team needs to understand OT and the critical requirements of an OT environment. A risk is not a risk. Understanding the relevance of a particular CVSS score to OT is critical in calculating that ultimate risk prioritization.
ICS security is a continuous program, and while assessments don’t eliminate risks, they identify threats, risks, compliance variance, and remediation activities if they do not add fatigue and burdens with little value. Therefore, ongoing detailed assessments that present multiple sources of data in a single, tech-enabled view quickly identifies issues and moves us towards solving them.But assessment is only the first step. The technology you choose should also enable the automation of remediation steps to streamline the security, not just the prioritization. Too many clients try to execute remediation across separate silos. By bringing remediation and assessment into the same toolkit, you accelerate time to remediation and ensure ongoing measurement and reporting of progress.
Verve has worked with clients for over a decade to address risk prioritization challenges. To address these common challenges with asset inventory management and prioritization, Verve created a scoring mechanism (integrated into the Verve Security Center) to help asset owners enhance insight into assets.
They can either use additional criteria to filter by detailed type, applications, nature, criticality (based on data entered) – or – look at exposure factors (which may include compensating controls) to drill-down on host vulnerabilities.
The above image is a screenshot from the Verve Asset Manager (VAM), which acts as the control center when managing inventoried assets. It reports many details and calculations to sort the hundreds or thousands of assets you may be responsible for by filtering on the detailed asset type, criticality and exposure.
Verve’s asset inventory management tool reports on asset details for global visibility across all sites. Within the reporting console, all vulnerabilities are aggregated and ranked to effectively govern and manage the critical risks.
Verve also includes direct remediation of threats from the console. Therefore, as you prioritize asset risks, the user quickly pivots to remediation to remove the most critical risks or find compensating controls to execute.
OT asset risk prioritization is one of the most critical elements of OT security and systems management. Because resources are limited and many remediation actions such as patching cannot be accomplished quickly or easily, OT security leaders need a robust prioritization framework to help achieve security effectively.
An OT asset risk prioritization platform that includes a 360-degree asset view, robust exposure and criticality scoring, as well as the ability to remediate significantly improves efficiency and maturity of OT security.
After all, the value of an integrated OT cyber security platform combines detailed asset information to deliver filterable results for prioritization, attributes, vulnerability or even risk exposures at a glance, and allows an organization to take action at the site level, while gaining visibility from all sites from a global perspective to drive prioritized and informed decisions.
Real-world experience indicates significant benefits to embracing endpoint management in OT environments.
Learn MoreDefending critical infrastructure requires 360-degree visibility into asset and network vulnerabilities through a vulnerability assessment.
Learn MoreHow to take a true endpoint risk management approach for successful cyber defense efforts. This approach provides an OT-specific way of conducting ITSM.
Learn More