Asset Management Key to Mitigating OT/IT Convergence Cybersecurity Risks

Along with the rising convergence of operational technology (OT) and information technology (IT) systems comes significant risks. This is especially true in organizations with constrained budgets, such as small healthcare providers, local government agencies, and municipal utilities, among others. When these organizations integrate their OT and IT systems—driven by the need for improved efficiency and connectivity—they are exposed to a broader attack surface and more complex vulnerabilities, raising concerns over process integrity and physical security. The result is that these institutions are forced to make challenging operational and security tradeoffs.

The convergence won't stop. The business benefits are too great, as the promise of enhanced operational efficiency, real-time monitoring, and data-driven decision-making drives the trend toward OT/IT convergence. Last month, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance aimed at addressing the risks associated with the convergence of OT/IT in modern industrial organizations. 

Inside CISA's OT Cybersecurity Asset Guidance

CISA's guidance, Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, identifies several common deficiencies within these environments that make it all too easy for adversarial compromise. The list won't be surprising to some. Items include insufficient network segmentation as one of the primary attack vectors that threat actors exploit to move laterally from IT to OT environments and between OT systems. Additionally, insecure remote access points created through IT/OT integration can provide attackers with entry points to OT systems, "allowing for lateral movement or for command and control." 

Experts see challenges as IT and OT systems continue to converge. And to get a handle on the expanded attack surface from OT/IT convergence, the guidance stresses the importance of establishing proper asset inventories and taxonomies as foundational elements for building a "modern defensible architecture" that can identify, prevent, and respond to cyber threats while maintaining the operational benefits of IT/OT integration.

"When you're on the production side of this, it's intimidating when you don't understand the IT and networking and security side, and conversely, when you're on the IT side, it's intimidating because you don't understand the engineering side. You don't know what all those machines are for," Daniel Gaeta, managing security engineer, operational technology at GuidePoint Security, said.

"CISA's guide provides solid guidance," said Michael Farnum, advisory CISO at enterprise technology services provider Trace3. Farnum added that he has been encouraging the integration of IT/OT systems, and while doing so, he has noticed that there has been less pushback from OT stakeholders than was historically the case. 

CISA’s Five-Step Process for OT Asset Inventory Development:

Step 1: Define Scope and Objectives

Organizations must establish clear governance frameworks by identifying the authority requiring the inventory, determining responsible offices or positions, and assigning specific roles for data collection and validation. The scope definition involves setting program boundaries (specific zones, facilities, systems, and timelines) and clearly defining what constitutes an "asset" for inventory purposes.

Step 2: Identify Assets and Collect Attributes

This step requires conducting both physical inspections and logical surveys to gather comprehensive information about system components. Organizations should prioritize collecting 14 high-priority attributes for each asset, including:

• Active/supported communication protocols

• Asset criticality

• Asset number (unique identifier)

• Asset role/type

• Hostname and IP address

• Logging capabilities

• MAC address, manufacturer, and model

• Operating system

• Physical location

• Ports/services

• User accounts

The guidance also identifies medium and low-priority attributes that organizations can collect if resources permit.

Step 3: Create a Taxonomy to Categorize Assets

The taxonomy development involves a five-step sub-process, including two primary methodologies for asset classification:

• Criticality-based classification: Assets prioritized by their importance to operations, safety, and mission (high, medium, low criticality)

• Function-based classification: Assets grouped by their roles within the OT environment (control systems, communication devices, monitoring tools)

• Asset Categorization: using the ISA/IEC 62443 standards framework, organizing assets into:

• Zones: Groupings of logical or physical assets sharing standard security requirements based on criticality and consequence

• Conduits: Groupings of cyber assets dedicated to communications between zones with shared cybersecurity requirements

• Structure Organization: through identifying process dependencies, adopting consistent naming conventions, creating detailed documentation, and documenting roles and responsibilities for asset interaction.

• Validation and Visualization by cross-checking inventory accuracy, creating diagrams representing asset categories, and using tables or charts to show asset relationships and dependencies.

Periodic Review and Updates to reflect changes in technology and operations, incorporating stakeholder feedback.

Step 4: Manage and Collect Data

Organizations should identify additional asset information sources, such as integrator agreements, vendor manuals, maintenance records, and establish a centralized database or asset management system with appropriate security controls for data protection.

Step 5: Implement Lifecycle Management

This involves defining asset life cycle stages (acquisition, deployment, commissioning, maintenance, decommissioning) and developing comprehensive policies for managing assets throughout their entire life cycle, including maintenance schedules, replacement plans, and backup strategies.

Actions Post-Asset Inventory and Taxonomy

The guidance outlines five critical areas for leveraging the completed inventory and taxonomy:

1. OT Cybersecurity and Risk Management: Organizations should cross-reference their inventories with vulnerability databases, such as CISA's Known Exploited Vulnerabilities (KEV) Catalog and MITRE's CVE database. Key activities include implementing security controls for unpatched vulnerabilities, prioritizing critical assets with redundancy plans, establishing real-time monitoring, and mapping attack patterns to threat intelligence sources, such as the MITRE ATT&CK Matrix for ICS.

2. Maintenance and Reliability: The inventory enables organizations to review maintenance plans in consideration of vulnerability assessments, compare the costs of downtime versus system replacement, implement cyber-informed engineering principles for new systems, and analyze spare parts inventory to ensure adequate coverage for critical assets.

3. Performance Monitoring and Reporting: Continuous monitoring should focus on tracking process variables (such as temperature, pressure, and flow) and monitoring network and system diagnostics for communication health and device connectivity. Organizations must develop effective reporting mechanisms and identify the owners of asset inventories for ongoing maintenance.

4. Training and Awareness: Providing staff with training on asset management practices and implementing awareness programs ensures that all stakeholders understand the importance of asset management, which is crucial for program success.

5. Continuous Improvement: Organizations should implement feedback loops, utilize change management processes to track asset modifications, and conduct regular reviews and audits of their asset management programs to ensure ongoing improvement.

Sector-Specific Taxonomies

The guidance includes conceptual taxonomies developed through collaborative working sessions for three critical infrastructure sectors:

• Oil and Gas Organizations: Categorizes assets into safety systems, management/engineering, process control and monitoring, environmental systems, communications systems, network equipment, and cyber-physical security.

• Electricity Organizations: Organizes assets across the DMZ, including communications systems, power generation, transmission, and distribution, as well as physical access controls, energy management systems, and distributed energy resources.

• Water and Wastewater: Structures assets by collection, water treatment, distribution, re-use water, data management, wastewater treatment, and communications infrastructure.

"The taxonomies are very practical. They're not something that is breaking new ground, but it is being a big help if organizations make sure they adopt it in operations and make sure they use it as a foundation — just not the end game," said Farnum.

The guidance identifies five primary benefits of implementing structured OT taxonomies:

1. Improved Organization & Management: Enhanced categorization and organization of assets, processes, and data.

2. Enhanced Communication: Standardized terminology reduces misunderstandings and improves collaboration.

3. Better Decision Making: Clear understanding of relationships and dependencies enabling informed decisions.

4. Cost Savings: Optimized asset management reduces inefficiencies and minimizes downtime.

5. Data Analytics & Insights: A Better framework for organizing and analyzing data, driving continuous improvement.

Overall, the guidance emphasizes the importance of proactive planning and collaboration between IT and OT teams. Organizations are encouraged to review and implement the recommended steps, socialize the guidance within their organizations and with peers, and provide feedback through CISA's anonymous product survey.