Protect Your Environment from Unknowns

Industrial and critical infrastructure (OT/ICS) organizations know that threats from adversaries are continuously evolving and becoming more sophisticated. Keeping an accurate inventory of all known and unknown assets can be a struggle. Especially when the need arises to implement strategies to evaluate and mitigate risks. The solution? Integrating an automatic asset discovery and management platform for your OT/ICS environments.

 

What is OT/ICS?

OT, or Operational Technology, encompasses the computing systems that manage industrial operations. This includes the monitoring of Oil & Gas, the Electric Utility Grid, manufacturing operations, and more. OT runs networks with different hardware and software components to form the critical infrastructures of the whole industry.

Industrial Control System (ICS) includes both Supervisory Control and Data Acquisition (SCADA), and Distributed Control System (DCS). ICS is the collection of individual components that make up an OT environment, for example:

  • Instruments running in a manufacturing lab
  • Sensors and controllers in a natural gas facility

 

OT/ICS vs. IT

OT and ICS environments can be very different from IT environments:

Differences OT/ICS IT
Emphasis High availability first High security first
Maintenance Vendors or third parties Internal IT department
Technology Lifecycle 10-15 years 3-5 years
Running Environment Isolated in remote locations with limited access Corporate IT network or cloud environment, fully connected
Change in Environment Relatively fixed and stable for greater reliability Keep changing with new assets (e.g., BYOD mobiles or VPN devices)
Network Protocol Older or proprietary (e.g., Modbus, BACnet, ControlNet) Newer and more open (e.g., TCP, UDP, SNMP)
Operating System Older or proprietary (manufacturer dependent) Newer and more generic (e.g., Windows, Linux, MacOS)

These differences result in significant challenges to traditional asset discovery methodologies in OT and ICS environments:

  • Agent-based asset discovery: This is difficult to achieve in most cases due to the proprietary operating systems and limited system resources. For example, Symantec Endpoint Protection requires Windows, Mac, or Linux systems with at least 1GB of RAM, which many OT/ICS devices won’t satisfy.
  • Network-based asset discovery: The network scanning approach can’t be utilized in these environments either due to the proprietary network protocols and high availability constraints. For example, NMAP scanner relies on TCP/UDP protocol to fingerprint the network devices, and these protocols may not be supported in OT and ICS environments. The active network scans can also be too resource-intensive and have negative impacts on OT/ICS system performance and reliability.

 

Discovering Assets

How do you discover the assets in an OT/ICS environment without agents or network scanners? The answer is an asset discovery platform based on existing asset data. OT and ICS environments already accumulate different types of data:

  • DHCP and DNS logs (such as Infoblox DHCP server logs)
  • Network flow and traffic (such as Palo Alto Firewall logs)
  • Network identity services (such as Cisco ISE active sessions)

Combining and triangulating these different types of OT/ICS data into a cybersecurity asset management platform acts as the foundation of complete OT/ICS visibility for the hardware and software in your network.

This includes all of the users, accounts, patches, vulnerabilities, network device configurations, operation system settings, device status, locations, etc. Having this kind of inventory right at your fingertips significantly reduces cost and time invested in asset management under OT/ICS environments.

 

Risk Evaluation in OT/ICS

OT/ICS asset discovery is just one part of the problem. The other is OT/ICS compliance, security, and risk. When a complete asset inventory of the OT/ICS environment is combined with the alerts and known vulnerabilities associated with those assets, who they are communicating with, the ports and protocols used, the volume of data, and other pertinent details, the information becomes even more meaningful.

An accurate asset inventory with real-time data will increase the cybersecurity maturity of your environment by centralizing all asset data into one single view which helps you Identify, Protect, Detect, Respond, and Recover.

For example, your SIEM may detect abnormal network traffic going to one IP address x.x.x.x. With only one IP address, it doesn’t give the security team much information to use in their investigation. However, with a comprehensive asset discovery and management platform in place, the security team is able to:

  • Connect the IP address with one asset, such as a lab instrument or engineering workstation
  • Identify the asset’s contextual information, such as its criticality, location, and known vulnerabilities
  • Evaluate the asset’s risk based on the real-time data and prioritize the assets by their risk scores. For example, the asset will have a higher risk score if it is critical to the safety and reliability of the OT process while running the firmware with severe vulnerabilities
  • Alert the security team on the high-risk assets to take immediate action.

With the help from the asset discovery and management platform, security analysts can access potential OT/ICS risks and mitigate them in real-time. This process creates a more effective defense, stronger security control, and better compliance.

 

Lucidum Asset Discovery

Lucidum’s Machine Learning discovers, identifies, and classifies all of your assets, users, and data from your IT/OT/ICS. By connecting what was previously siloed information, our alogrithms reliably extrapolate security information that your team can rely on. Whether on-prem or in the cloud. Our risk scoring allows your team to better understand the threat landscape and see 100% of your environment – with little impact on your IT/OT/ICS environment.