In this blog series, we have thus far been looking at how IT and OT groups can effectively work together to gain a mutual understanding and respect for the environments in which they are responsible for managing cybersecurity risk. The more mutual respect and cooperation fostered between the two parties, the easier it will be for the collective team to build an effective ICS cybersecurity program.
Once that joint team culture is established and respect is gained, it is time to start looking at what processes and technologies can help create efficiencies in their efforts. This blog post will examine how organizations can effectively obtain the appropriate amount of asset visibility necessary to ensure continued safety and reliability within their ICS environment.
For context, I would like to start by saying something a little different than I hear far too often in the world of ICS cybersecurity. When I use the phrase "asset visibility," I am not talking about just the pumps, valves, tanks, sensors, switches, HMIs, and other systems used in the immediate control of the OT environment. The owners and operators have an asset list and are familiar with how all those devices are connected. They understand the various values displaying within their HMIs and can quickly detect a problem within that immediate environment. Having this perceived acceptable level of visibility within this subset of the environment does not mean that it will suffice for the environment's security overall.
So, as we continue, I want the term "asset visibility" to represent the entirety of everything connected within and to the OT environment. Some examples could be the auxiliary application systems like enterprise resource planning, customer relationship management, historians and other analytic types, access control, network and endpoint security, disaster recovery, patch management, remote access, business continuity, and more.
Need for Visibility
There is a common phrase that most people will recognize in the cybersecurity community, "you cannot protect what you cannot see." While the phrase itself may be overused, we must not dismiss the message behind it. Having a network drawing and some tribal knowledge on how the OT environment is connected and communicating may be acceptable to the operations team. However, to truly understand the actual cybersecurity risk for the environment, you must take a couple of steps back to ensure that the aperture of your asset visibility lens also includes all secondary and tertiary devices and systems connected and communicating to and throughout the OT environment.
Historically, we have seen this visually depicted in various network architectures based on ISA 95, PERA, or similar frameworks. Electrical generation organizations were one of the first in the OT community to focus on this broader aperture when NERC required the identification and documentation of their respective electronic access perimeter (EAP). The requirement means organizations must thoroughly understand their outermost boundary's location and create a virtual fence around it.
The subsequent need is to then protect and monitor everything inside of that virtual fence. How this level of asset visibility is presented is important.
There are two primary forms: a graphical representation (map) and a tabular representation (more conducive to reports). Both have equal value, but some audiences may favor one versus the other. For example, a user focused on compliance may prefer a tabular representation for a report. A map, conversely, is more helpful for an engineer to troubleshoot something or investigate a finding.
As you begin to get more visibility into the entirety of the OT environment, you can start to ask more intelligent questions about each of the systems, the unique mission they support, and the threats and potential impacts the environment faces. To maximize usefulness, the processes created and the technology selected for this task should be well-suited to support the various devices, networks, systems, and applications (protocols) existent within the environment. They should also provide the appropriate level of details and context.
More Visibility = Better Prepared to Secure
It should be abundantly clear, but just in case it is not: this type of asset visibility within the OT environment should be as continuous as possible.
There are two primary methodologies that organizations can utilize to improve their asset visibility: active and passive. Active, in this case, is conducting a purposeful interrogation of all the network addressable equipment and applications within the infrastructure. In OT environments, this can cause adverse reactions and potentially jeopardize safety and reliability. Passive, in this case, is merely listening and collecting the maximum data possible from the equipment and applications supporting the infrastructure. The risks to safety and reliability are significantly reduced; however, you rely on devices, systems, and applications to communicate—so it may take more time to collect a comparable amount of information.
Whether you choose to use active, passive, or a hybrid of the two, this should not be a biannual tabletop exercise. Instead, you should foster constant collaboration among people, processes, and technology, gaining a holistic view of how everything within the virtual fenced environment is working together to accomplish the mission. As the OT environment's asset visibility improves, so does the OT security team's ability to understand their environment's proper situational awareness—despite the more dramatic desire to think about asset visibility as a means to detect hackers trying to compromise your environment.
A couple of the more common scenarios in the OT environment—where asset visibility plays a key role—are remote access and system upgrades (turnarounds). In these two scenarios, the OT security team must have visibility into which systems communicate with each other and exactly how they are doing it. One misconfiguration in the remote access arena can remain in the OT environment for years, because as the old saying goes, "If it's not broken, why fix it?" With adequate asset visibility, OT security teams can take a detailed look at their system communication behaviors and security controls to ensure they are reducing risk as much as possible.
During a system upgrade and maintenance cycle, often referred to as a turnaround, many aspects of the environment can change, from physical system locations to logical network architectures to new or updated application communication patterns. Having complete asset visibility in the OT environment—combined with the ability to baseline device, system, and application communication patterns—will put the OT security team at a unique advantage as the system comes back online. The team can now compare how those communication patterns looked before and after the turnaround, ensure no gaps are residing in their security controls, and update documentation accordingly.
More Visibility = Better Collaboration and Efficiency
Leveraging this new level of asset visibility with the OT environment should be considered an essential, foundational step before moving on to other security controls of the much larger cybersecurity program for the organization overall. Integrating the OT data sets with IT-based solutions provides a complete picture of the cybersecurity risk posture. It also improves efficiency in threat detection within the environment and prioritizes the cybersecurity investment roadmap in the near- and long-term future.
Once again, it is essential to understand that the exercise of providing adequate cybersecurity protections for an environment is an endless journey. Like preventative maintenance activities, the maturation of the people, processes, and technology supporting the safe, reliable, and efficient business operations is continuous. The people leveraged, processes created, and technology selected may differ from IT to OT, and that is okay. Their missions, systems, threats, and impacts are different. However, effective collaboration between IT and OT on asset visibility will reduce that security risk to the stakeholders' acceptable level and improve detections for the organization's most prevalent threats.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.