Back to Blog
OT and ICS Asset Discovery and Risk Evaluations
March 26, 2021
Lucidum Official

Industrial and critical infrastructure (OT/ICS) organizations know that threats from adversaries continue to become more sophisticated. However, they still struggle to keep an accurate inventory of the assets that they need to protect, let alone actually implement strategies to evaluate the risks for those assets and keep those assets protected. The solution to this problem is an automatic and integrated asset discovery and management platform for OT/ICS environments.

What is OT/ICS?

OT or Operational Technology encompasses the computing systems that manage industrial operations. This includes monitoring of Oil & Gas, the Electric Utility Grid, manufacturing operations, and more. OT runs the networks with different hardware and software components to form the critical infrastructures of the whole industry.

Industrial Control System (ICS) includes both Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS). ICS is the collection of individual components that make up an OT environment, for example,

Instruments running in a manufacturing lab
Sensors and controllers in a natural gas facility

OT/ICS vs. IT

OT and ICS environments can be very different from IT environments as listed below:

Differences OT/ICS IT
Emphasis High availability first High security first
Maintenance Vendors or third parties Internal IT department
Technology Lifecycle 10-15 years 3-5 years
Running Environment Isolated in remote locations with limited access Corporate IT network or cloud environment, fully connected
Change in Environment Relatively fixed and stable for greater reliability Keep changing with new assets (e.g., BYOD mobiles or VPN devices)
Network Protocol Older or proprietary (e.g., Modbus, BACnet, ControlNet) Newer and more open (e.g., TCP, UDP, SNMP)
Operating System Older or proprietary (manufacturer dependent) Newer and more generic (e.g., Windows, Linux, MacOS)

 

These differences result in significant challenges to traditional asset discovery methodologies in OT and ICS environments:

Agent-based asset discovery: This won’t work in most cases due to the proprietary operating systems and limited system resources. For example, Symantec Endpoint Protection client requires Windows, Mac, or Linux systems with at least 1GB of RAM, which many OT/ICS devices won’t satisfy
Network-based asset discovery: Network scanning approach can’t be utilized in these environments either due to the proprietary network protocols and high availability constraints. For example, NMAP scanner relies on TCP/UDP protocol to fingerprint the network devices, while these protocols may not be supported in OT and ICS environments. Furthermore, the active network scans can be too resource-intensive and have negative impacts on OT/ICS system performance and reliability

Then the question is, how do you discover the assets in an OT/ICS environment without agents or network scanners? The answer is an asset discovery platform based on existing asset data. OT and ICS environments already accumulate different types of data, for example,

DHCP and DNS logs (such as Infoblox DHCP server logs)
Network flow and traffics (such as Palo Alto Firewall logs)
Network identity services (such as Cisco ISE active sessions)

Combining and triangulating these different types of OT/ICS data into a cybersecurity asset management platform acts as the foundation of OT/ICS visibility to all of the hardware and software in your network, all of the users, accounts, patches, vulnerabilities, network device configurations, operation system settings, device status, locations, etc. Having this kind of inventory at your fingertips significantly reduces costs and time invested in asset management under OT/ICS environments.

Risk Evaluation in OT/ICS

OT/ICS asset discovery is just one aspect of the problem. The other aspect is OT/ICS compliance, security, and risk. When a complete asset inventory of the OT/ICS environment is combined with the alerts and known vulnerabilities associated with those assets, who they are communicating with, the ports and protocols used, the volume of data, and other pertinent details, the information becomes even more meaningful. An up-to-date and accurate asset inventory with enriched contextual information will increase the cybersecurity maturity of your industrial environment by centralizing all asset data into one view to Identify, Protect, Detect, Respond and Recover from a single platform.

For example, your SIEM may detect abnormal network traffic going to one IP address x.x.x.x. With only one single IP address, it doesn’t give the security team much information to investigate upon. However, with comprehensive asset discovery and management platform in place, it will be able to:

Associate this IP address with one asset, such as a lab instrument or engineering workstation
Identify this asset’s contextual information, such as its criticality, location, and known vulnerabilities
Evaluate this asset’s risk based on the contextual information and rank the assets by their risk scores. For example, this asset will have a higher risk score if it is critical to the safety and reliability of the OT process and still running the firmware with severe vulnerabilities
Alert the security team on the high-risk assets to take remedial actions. For example, the security team can block the network access from these assets, or update the assets’ firmware or operating system to the latest version

With the help from the asset discovery and management platform, security analysts can access OT/ICS risk holistically, locate the risky OT/ICS assets easily and start to mitigate the risks quickly for more effective defense, stronger security control and better compliance.

Lucidum Asset Discovery Platform

Lucidum is an open API, data ingestion platform that ingests any data from your IT/OT/ICS and security operations, management, protection, and detection solutions, including structured and unstructured data from your data lake, through API, static files, whether on-prem or cloud.

Lucidum also provides comprehensive risk scores that incorporate different factors from IT/OT/ICS environments, so you can apply different security controls based on the risks and improve your security posture. Solutions like Lucidum enable a powerful asset discovery, risk evaluation and security enhancement – with little impact on your IT/OT/ICS environment.