The Need to Defend Your ICS SystemsFortunately, industrial organizations can protect themselves against these and other digital threats. This effort should begin with them building an inventory of all devices that are connected to their environments. Having this type of inventory is essential to industrial organizations’ digital security, as it allows security personnel to monitor connected assets’ configurations, manage vulnerabilities and address unapproved devices. In the absence of an asset inventory, organizations are essentially in the dark. As David Bisson wrote in another blog post for The State of Security: Organizations can’t protect ICS devices, systems, and networks including those responsible for controlling critical infrastructures if they’re unaware of their existence. Otherwise, they simply use ignorance to assume that they’re secure, thereby placing them into a position of reacting to security incidents instead of proactively defending against them. Even if they are aware of these devices, industrial organizations can still expose themselves to risk by not consistently implementing security measures such as configuration controls. Achieving visibility for industrial environments is harder than it looks, however. In a recent survey, eighty-four percent of participating ICS security professionals told Tripwire that they were concerned about adding new technology to their organization’s industrial environment. Part of the reason for this worry is the belief that organizations can’t achieve visibility over their operational technology (OT) networks without disrupting their business processes. Indeed, some organizations believe they need to actively look for their connected assets, a process that could interfere with those devices’ availability. As a result, the reason that visibility is impossible to achieve, and they simply stop pursuing it.
Passive Asset Discovery as a Way Forward to Increase VisibilityOrganizations don’t need to risk disrupting their critical operations. They can simply invest in a solution designed to undisruptedly discover their network assets. Amongst those solutions, my personal favorite is a hybrid approach – which I will write more about in a future post, for now, passive discovery is a great start That being said, organizations need to do their due diligence in choosing a solution that fits their needs. They should, therefore, pursue the following recommendations:
- Use the vendor selection process to your benefit: Organizations should consider testing a packet capture of their network traffic in all the tools they’re considering. Conducting this type of test would help them evaluate a tool better than they otherwise could. In effect, the test would demonstrate the solution’s functionality with data that has contextual meaning to the organizations themselves.
- Involve the local OT teams in the vendor selection process. Choosing a vendor for a passive asset discovery solution is an important decision. It’s, therefore, crucial to keep everyone in the loop, especially those professionals who are responsible for the security and operability of their organization’s OT assets.
- Select from a vendor who has experience and a history of successful deployments. There are a lot of vendors in the passive asset discovery space. Even so, only a select few vendors have the know-how and support structure to enable complete success from the point of pre-sales through post-sales support.
When it comes to deploying a strong passive asset discovery solution, don’t try to boil the ocean! If a customer has a large, multi-plant environment, implementing a passive asset discovery tool at a strategically selected pilot location is a great way to build momentum, show internal successes, and even make a couple of mistakes early instead of trying to roll out a solution over dozens of environments at once.