Due to the pace at which energy companies, manufacturers, healthcare providers, and others engage in digitally transforming their organizations—including critical infrastructure — the lines between traditional IT and OT continue to blur. Companies must continue to converge their IT and OT management to remain competitive and optimize their operational efficiency and productivity.
Couple this with the rapid deployment of newly connected IIoT devices, and the visibility challenges—which translate directly to security challenges—are apparent. It’s a challenge that isn’t letting up any time soon: total IIoT market size is expected to reach $197 billion by the end of this year, up from $115 billion in 2016, according to Allied Market Research.
In traditional IT environments, finding networked assets is a relatively straightforward and mature process: simply scan the network and associated subnets and list the devices that appear with an IP address. In OT environments, it’s not as straightforward. In addition to the sheer number of newly connected IIoT devices, there’s a lack of device and protocol standards that make asset identification challenging.
However, by implementing a few practices, organizations will overcome these challenges and improve their OT visibility.
“In an IT environment, every asset that people want to track ultimately has an IP address,” says Jonathan Townsend, VP of engineering at Trace3. “It’s been that way for a while now. OT environments are often considered the same, but they aren’t. Not all assets are directly connected in OT environments. You are truly in a place where you can’t simply rely on traditional IP scanning discovery.”
Companies must get this right. Without a clear view of the assets deployed within the organization, it’s impossible to manage and control cybersecurity risks effectively. There’s no other way to be able to spot and rectify vulnerabilities, fix misconfigurations, ensure only the right people and systems have access, and effective incident response, among other security considerations.
“When we get into security considerations, we’re talking about trying to put in and design security to achieve transparency because the OT system [manager] needs assurance that they understand their situation at any point in time,” says Rick Peters, [then] director of operational technology at Fortinet, during a recent presentation at the 2020 S4 security conference.
Broadly, two primary types of tools are used to achieve transparency in the devices operating within OT environments: Network Monitoring Systems (NMS) and Asset Management Systems (AMS). While as the names suggest, NMS keep an eye on network traffic, hoping they can identify anomalies and suspicious actions by vetting patterns and data flows. In comparison, AMS aim to be the single source of truth for connected asset inventories. This is achieved either through active and passive scanning, or a mix of both.
However, tools are just one portion necessary to attain asset visibility in operational environments. They must also be used within a program with the right processes.
There is a core set of processes enterprises must have in place to attain and maintain visibility across the assets they need. These include:
Obtain a complete asset inventory. Obtaining an entire asset inventory will require manual steps and automated tools. In addition to network monitoring for new devices that appear on the network, teams should conduct periodic onsite physical surveys in addition to their automated scans. Appropriate business units should also be required to advise the IT and security teams of new device deployments. This will help to make sure that all assets are correctly accounted for.
“Because many devices are connected via serial ports, media converters, there’s often a wide blind spot in OT environments. The best way around this is to conduct site visits, walk the floor to trace cables, and manually capture the accurate asset inventory and topology. It can be a very manual and cumbersome, but necessary, process,” explains Townsend.
Categorize devices by their business use and value. Just knowing the asset exists isn’t enough. Security teams must understand what the device does and its importance to business operations. This information type is essential for threat modeling, incident response, and designing and maintaining a good security architecture.
Create processes for managing legacy assets. Because these environments are designed to run for very long periods, chances are high that devices will outlive the leading technologies and standards of their time. Managing these legacy assets can become challenging, but they must be maintained within the inventory.
“Because many of these environments are built to run for 30 years, especially inside environments like refineries and other locations where you want to have a very long run time with very low impact. These are the types of sites that tend to have more legacy connectivity requirements for some of their assets,” says Townsend.
Manage through continuous monitoring. The program must continuously identify new devices and classify them by business context so that rogue devices can’t escalate risk to unacceptable levels. Part of this process needs regular audits of the procedures to spot gaps and areas that can be improved.
It certainly sounds like considerable work, and it is, but building such capabilities makes OT systems much more defensible. “I'm never turning a blind eye to what's happening,” says Fortinet’s Peters. “I know this domain is changing, and I understand the number of devices I'm touching and connecting to constantly changes. And so, the same practices put into play repeatedly allow me to achieve a level of defense and knowledge of my OT environment that puts me in a better place,” he says.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.