Step one in improving your OT security: “Know what you have”

Step one in improving your OT security: "Know what you have"

The need for OT security is becoming bigger and bigger because of the digitization and automation of production processes. You can’t secure what you don’t know you have, therefore having an accurate and up-to-date asset inventory is crucial.

What

But what do we mean with ‘asset inventory’? Well, the form doesn’t really matter, but at the very least the contents of this inventory should be:

all electronic hardware equipment in your factory which is in one way or the other connected to your network
also having a list of all software used in your factory and factory-supporting processes is considered a large plus

As for the form: you can surely start with a spreadsheet or some database, or use a dedicated tool for this.

Why

If you do not have an asset inventory, it’s managed poorly or not kept up-to-date, you run the risk of not knowing what is connected to your industrial network. As a result, you might forget an old device somewhere locked away in a cabinet, you might not know you have legacy hardware or software which has not been supported for years… If automated, this process could also help detect and identify unknown or unauthorized devices in your network.

In practice, upgrading your hard- or software to the newest versions isn’t always a security improvement, knowing you have them is. Knowing you have an older system running allows you to pay more attention to it: you could segment it away from the rest of the network, so that if something were to happen to it, you could reduce the impact. An accurate asset inventory could also improve maintenance and response times in case of an incident, overall resulting in less production downtime.

Possible caveats

One of the issues we’ve seen happen is that new tools or new versions of existing tools such as a centralized asset inventory often don’t get adopted well without proper training. It is of the utmost importance to properly inform and train your employees/colleagues on these new tools, as they might otherwise not be used.

Creating an asset inventory is not a one-shot exercise! The initial creating of a centralized asset inventory is a very labor-intensive process, and is often mistaken as a one-off endeavor. However, this is not the case. The initial creation of an asset inventory should be seen as the starting point of a new process, while maintaining it is part of other processes.

In practice

There are multiple ways of creating and maintaining an asset inventory:

manual
automatic

Manual

Manually creating an asset inventory can be done through network scanning. By scanning the network you will receive information of what devices are connected to it, then you’ll be able to probe these devices for extra information to add to your inventory. This however can be a very tedious process. It requires lots of manual work and validation. On the other hand, this way you have higher data quality, as strange results can already be filtered out manually and in-depth knowledge of the process further defines a device.

Another downside of doing this manually is the possibility to have impact on the functioning of your production environment. An extremely careful approach and good knowledge of the systems present in your environment is essential to avoiding downtime.

Automatic

There are tools that can assist you in the creation of an asset inventory. In many cases, these passively and continuously scan your network for activity and create an inventory out of the acquired data. To enrich its data, it will also actively probe the discovered systems for more information using vendors’ own communication protocols. This allows for anomalies, such as unauthorized devices, to be detected immediately as well as high data quality with minimal risk for impact on production.

Spinae OT security specialists are here to assist

With our Spinae OT Asset Inventory service, we can assist you in taking this imperative first step to improve your OT security. We can also offer vendor independent advice to find the right tool for your environment, as well as guidance and assistance in designing your OT network. Contact us for more information through our contact form or LinkedIn.

In this series

Step zero in improving your OT security : network segmentation