Most of us are aware that corporations face numerous asset discovery challenges in IT networked environments. They simply can’t determine the full scope of devices across the entire estate due to the increasing complexity of networks, an onslaught of a new and diverse set of virtual, cloud, mobile, and container compute platforms, and the explosion of IoT connected devices.
Even when a device is known and tracked, obstacles remain for obtaining full context and characterization of the device due to sundry browsers, software, and agent-based applications running on the individual machine.
But what about OT and ICS environments? Do the same challenges exist in these environments?
The simple answer is no.
OT and ICS environments present their own unique set of challenges for asset discovery. These environments have grown up in a different way from IT environments. They contain different technology from IT environments. They operate by a different set of rules.
What Is OT And What Is ICS?
Operational technology (OT) is the collective body of hardware and software used to monitor and manage industrial equipment, processes, and events. These systems form the critical backbone of global critical infrastructure.
Industrial controls systems (ICS) are the collection of individual components that make up an OT environment.
ICS are used for industrial process control. They make up all elements necessary for a particular closed loop system (including the control system and the associated instrumentation), including devices, systems, networks, and controls used to operate a specific industrial process.
Examples include supervisory control and data acquisition (SCADA) and distributed control systems (DCS). Instrumentation elements include programmable logic controllers (PLC), remote terminal units (rtu), human machine interfaces (hmis), sensors and actuators — to name a few.
The Challenges
OT and ICS environments are very different from traditional IT environments. It’s these differences that make obtaining an asset inventory difficult.
First and foremost, OT and ICS environments are full of technology designed and implemented 20 to 30 years ago. Many of these technologies have limited memory and CPU, communicate using older (Modbus, BACnet, Fieldbus HART, DNP3) protocols, and are often running unsupported versions of Microsoft NT or a proprietary operating system.
Second, most OT and ICS environments are air gapped, with little access to the corporate IT network and no access to cloud environments. Many of these environments are distributed and/or singular closed loop systems in remote locations with limited network or telecommunication access. More often than not, network or remote access is constrained to a small group of ICS specific operators and experts.
Third, availability is the prized leg of the CIA triad in OT and ICS environments. Where confidentiality and integrity are the primary focus of IT security controls, system availability is critically important in OT and ICS environments.
These systems’ failure can lead to human injury, environmental disaster, damaged equipment, and physical process downtime — all of which could impact large portions of the population. For these reasons, systems must operate for long periods of time with minimal maintenance windows. Security controls in these environments are designed to focus on ensuring uptime and availability, with marginal thought to confidentiality of data or data loss.
These differences result in significant challenges to traditional asset discovery methodologies in OT and ICS environments:
- Agent-based asset discovery approaches can’t be used in OT and ICS environments because of unsupported and proprietary operating systems, and because of extremely limited memory and processing resources. Agents simply can’t be deployed in most cases.
- Scanning-based asset discovery approaches can’t be utilized in these environments either. Heightened reliability and availability concerns preclude the use of scanning technologies, for fear of knocking over critical systems with even a lightweight scan. Scans are just too intensive and therefore not leveraged.
- Network-based asset discovery is marginally effective in these environments. Proprietary protocols are often used for communication in segments of these environments, and may pose challenges for accurate asset identification.
Identifying Assets In OT And ICS Environments
Network-based sensors can be invasive, potentially causing OT network disruption during deployment or operation, so planning and deployment timelines are sometimes measured in months and years.
Lastly, even under the best conditions, in which network sensors can be deployed without impact and across all segments, the network viewpoint of assets is still relatively limited in terms of context for the device, providing little to no information about device users, installed software, vulnerabilities etc.
How do you passively identify assets in an OT and ICS environment and provide context for the devices? The answer is actually quite simple.
Asset data already exists in an OT and ICS environment.
Asset data exists in the...
- Routers, switches, and firewalls at the network layer
- Data historians, HMIs, DCSs, and SCADA platforms
- IPAM, DNS, and DHCP solutions deployed in the OT environment
- Successfully deployed device management and security agent tools
Cybersecurity asset management platforms aggregate and correlate data from a wide array of data sources. Solutions like Axonius leverage technology adapters designed to connect, authenticate, fetch aggregate asset information (using an existing API or DB queries), normalizing the asset data fields.
Using this technique, it’s possible to obtain a complete inventory of assets — with little to no impact on the environment.