What is OT/ICS Asset Inventory and Why is it the Foundation of a Cyber Security Program?

Many industrial organizations seek an accurate asset inventory within their OT/ICS environments. All operators ask for hardware and operating system/firmware versions, some will ask for a full software inventory or connectivity or ports and services, and still others ask for more comprehensive details on those OT assets, such as users, patches, known vulnerabilities, etc. And some add further context with location (cabinet or rack), criticality info or even a photograph of the specific asset.

What Should an OT/ICS Asset Inventory Include? 

The answer depends on the objective. In most cases, industrial organizations pursue an accurate asset inventory as an element of their OT/ICS security program. The common phrase used is “you can’t protect what you can’t see.”  But this phrase and many inventory efforts miss the fact that OT/ICS asset inventory should act as the base foundation upon which the whole cyber security program should rest.

A robust asset inventory is revisited across all stages of your cyber security journey. If you build it correctly, you’ll always have the data you need to support any security initiative.

What is an OT/ICS Asset Inventory?

OT/ICS asset inventory is the accurate and timely aggregation of hardware and software data operating in industrial control system environments. A robust OT/ICS asset inventory includes the following types of information at a minimum:

• List of all hardware systems in the environment – both on and off the network – including IP, serial and other devices. This should include make/model as well as key statistics such as memory, storage, etc.
• Comprehensive software inventory including operating system, firmware, application software, etc.
• List of all users and accounts on each asset, including those that are dormant, shared, local, admin, etc.
• Patch status of OS and application software
• Known vulnerabilities and their CVSS scores, attack vectors, and potential remediation
• Configuration settings to determine whether the device is securely configured for ports, services, passwords, etc.
• Network connections and possible paths, as well as network protections in place
• Antivirus and other protection software status such as whether they’ve been updated
• Backup status
• Location information such as rack, cabinet, building, etc. to enable rapid physical discovery of assets
• Criticality information to judge the importance of the asset to the process

The list of asset inventory elements is much more information than many might believe is necessary or possible. However, this type of asset inventory pays off as the organization expands its cyber security efforts.  This type of asset inventory becomes the foundation for a robust OT/ICS cyber security program.

In contrast to an asset inventory that provides a one-time or infrequent list of hardware, a robust foundation for OT/ICS security requires a real-time visibility to all of the hardware, software and firmware in your network, all of the users, accounts, patches, vulnerabilities, network device configurations, Windows settings, embedded device backplanes, status of various security elements such as application firewalls, whitelisting, antivirus, etc.

This deep and broad asset inventory lays the groundwork for true endpoint management and security. Having this kind of inventory at your fingertips significantly reduces costs and time.

Why is an Asset Inventory the Foundation of OT/ICS Security?

Effective cyber security in either IT or OT requires a deep foundation of asset information. In IT, security practitioners are used to having robust asset information because of the many tools available to gather such information. They use this data as a foundation of security. For instance:

• Patch management is impossible without a comprehensive software inventory. The inventory forms the basis on which patches are identified.
• Secure configurations are essential to security, but maintenance of secure configuration requires accurate, deep and timely asset inventory information.
• Ensuring robust recovery processes requires visibility into the backup status of each device to ensure it is recent and accurate.

These are just three small examples of how asset inventory becomes the foundation for a cyber security program.

In OT/ICS, however, users typically don’t have the tools to gather and maintain such an inventory. As a result, OT/ICS cyber security programs have historically relied on perimeter defenses and possibly passive detection of anomalous events.

Without comprehensive asset inventory management, organizations operate on quicksand: They don’t know the true security status of their environment and are unable to conduct effective security management at scale.

In many cases, industrial organizations build a basic asset inventory only to find that the information necessary for security tasks, such as robust patch management, user access control, or configuration hardening is unavailable in what they gathered.

This robust asset inventory becomes the foundation to build the rest of the program.

The situation reminds me of the children’s book, “If You Give a Mouse a Cookie”.  If you’re not familiar, it is a fanciful tale of a boy and his pet mouse. The boy gives his mouse a cookie, which leads to the mouse wanting a glass of milk.  The mouse wants to make sure the milk didn’t give him a mustache, so he asks to look in the mirror, which turns into a need for a trim. There is a series of things the mouse wants next until he is reminded again of milk, and then asks for another cookie. A cyber security program is very much like giving a mouse a cookie.

For example, if you start with a basic asset inventory to understand what you have,  your next step is to gather vulnerability data about that inventory. The vulnerability information tells you to patch, which is not always possible in OT environments, so you’ll ask to see a report on compensating controls for those unpatched assets.

But those compensating controls are always backstopped by the OT safety net – a full backup or restoration point. Now you realize the asset inventory view needs to include plans for restoration and recovery, bringing you back full circle to where you started. And all the while, the world and the cyber risks within it continue to evolve. This means the introduction of new vulnerabilities.

When a new vulnerability is discovered, you rely on your asset inventory to determine how many ICS assets are in scope for this risk, how many can be safely patched, and how many vulnerabilities can apply compensating controls. If there are too many non-patchable assets, you’ll soon be asked if upgrading the assets is possible. The answer is yes, but how do you decide which assets to upgrade?

Is an asset upgrade operationally supported (i.e. does the OEM have an upgrade path)? How big of a problem is it if there is no OEM upgrade? While these data points come from OT asset inventory management, understanding how many assets are in scope (or are required) for an upgrade or patch deployment depends on many other contextual data points like system criticality, vintage, risk, etc.

The analogy of the mouse and the cookie highlights that each step of security builds on the last. Instead of the oft-repeated line “you can’t secure what you can’t see,” we would offer a quote from our favorite cyber security guru, Yogi Berra, “if you don’t know where you’re going, you’ll end up someplace else”.

If you don’t plan for a comprehensive security program when doing your asset inventory, it will not be there when you need it. The robust asset inventory gives you the map on which to build your journey.

What are the Benefits of OT/ICS Asset Inventory?

So, when you begin your search for an ICS/OT asset inventory solution, it’s important to ask yourself where are you going, what is the objective, what are the components of a robust OT/ICS cyber security program….and then, what information do I need in my asset inventory to support that program?

Thinking back to the mouse and his cookie, asset inventory is an immensely valuable data source (if developed correctly) that comes full circle in setting up the dozens of cyber security best practices, insights, decision making and planning tasks you are expected to make for a long-term, successful cyber security program.

Choose wisely when considering your asset inventory needs and take the end goal into consideration. Once your boss (the mouse) asks for asset inventory (the cookie), they’re going to ask for the next thing. So think about the holistic cyber security program and plan for patching, configuration hardening, compensating, controls, etc. because buying a one-off tool may not fit into your comprehensive program later on. There are many benefits of a robust OT asset inventory including improved accuracy and quicker detection of threats.

An automated and robust asset inventory increases the efficiency and cyber security maturity of your industrial environment by centralizing all endpoint asset data into one view to Identify, Protect, Detect, Respond and Recover from a single platform. Feel confident and in command of your operations when time and information are on your side.