Challenges of Using Anomaly Detection Tools for Asset Inventory

ICS cyber security programs start by determining their operational asset inventory: How many assets do we have, where are they located, and what do they look like?

But not all asset inventories are created equal. A one-time or infrequently updated list of hardware and its OS or firmware provides some context. A passive capture of anything communicating on the network provides a different, but limited view of the full picture.

What is asset inventory and management?

Gathering an accurate asset inventory is a big enough challenge that many well-intentioned ICS security practitioners attempt to use passive anomaly detection tools to gather some form of inventory. But using a cyber security monitoring tool to detect new operational systems brings on two challenges: coverage (collecting all assets in scope) and level of detail.

Anomaly detection tools don’t provide adequate coverage for IT OT asset inventory management

Passive anomaly detection tools require a certain level of infrastructure for the deployment of the sensors. This is challenging if you have a well-designed and segmented network and/or if you have long haul (SCADA) locations challenged with bandwidth.

Because passive tools require assets to communicate through a monitoring point, you need to pay for and deploy sensors on every piece of communications equipment in your network to connect to all assets. You also need to consider that serially-connected (or non-networked segments) will never appear in your asset inventory.

Passive anomaly detection tools do not provide comprehensive coverage to account for all OT assets in your network.

Anomaly detection tools lack asset details that are critical to security operations

To define, “what is asset inventory,” you must ask if it is enough to have a list of IP addresses and basic information (i.e., Cisco ASA vs Dell HMI)? Or is a richer set of data required for assets that don’t transmit (again, for passive tools, if the asset does not transmit specific data you wont ever get that data)?

Industrial asset details such as installed software, version, history, etc is valuable. Missing patches, security risks (compared to the National Vulnerability Database), users, groups, shares, services, ports, etc. are all key components of analyzing an asset and its relative risk to operations.

This deep and broad asset inventory acts as the foundation to true endpoint management and security. Having this kind of inventory at your fingertips significantly reduces cost and time.

Non-technical challenges in the cyber security industry

When Kaspersky’s State of Industrial Cyber Security 2019 report released, their top five list of non-technical challenges found in cyber security was striking:

1. OT cyber security governance
2. Staff training and security awareness
3. Business continuity plan
4. Third-party management
5. Incident response planning

The biggest hurdle to fixing these cyber security challenges is gathering specific asset context to make meaningful improvement and prioritize tasks. This is why the Verve Security Center adds risk context and criticality to an asset record. Is this asset critical to my operations or safety? Is it a legacy device? Who is the owner, where is it located, is it redundant?

The asset context questions manage realistic discussions about governance, business continuity, and incident response for OT leaders.

For example, imagine if a remote desktop vulnerability emerged and you had an agent-based security solution that could quickly aggregate asset data into a single report to shows which assets, by type, region, owner, criticality, or OS type (lab or field-based) were effected. With this asset insight, you could effectively and efficiently assess and prioritize remediation action..

IT OT asset inventory management is the foundation of a cyber security program

For industrial organizations looking to increase cyber security posture, asset inventory management is the right place to start. But the most effective asset inventory tools are the ones that work as a foundation to propel your overall cyber security journey.

This robust foundation for OT/ICS security requires real-time visibility into all hardware, software, users, accounts, patches, vulnerabilities, network device configurations, Windows settings, embedded device backplanes, status of various security elements such as application firewalls, whitelisting, antivirus, etc. that live in your network.

Identify, Protect, Detect, Respond and Recover from a single platform to feel in command of your operations when time and information is on your side. Leverage an automated asset inventory to increase the efficiency and cyber security maturity of your industrial environment by centralizing all endpoint asset data into one view.

Next, read how to Develop Effective Asset Inventory for a Robust Cyber Security Roadmap to find out what OT cyber security leaders can learn about asset inventory from the children’s book, “If You Give a Mouse a Cookie”.