Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How To Discover and Protect Your OT Assets

As the disciplines of IT and Operational Technology (OT) continue to converge, organizations find themselves challenged to provide threat protection, risk management and asset monitoring. It all starts with a strong asset discovery and detection plan.

For years now, CISOs have tried to come to grips with the convergence of two equal but distinct parts of the business — IT and Operational Technology (OT) — and what it means for the overall cybersecurity posture of industrial enterprises.

The first question is: Where to start? 

How best to address this question was the central premise of the Tenable webinar, Practical Industrial Control System Cybersecurity: IT and OT Have Converged, Discover and Defend Your Assets. Hosted by SANS, the webinar featured: Doug Wylie, Director, Industrials & Infrastructure Business Portfolio, SANS Institute; Dean Parsons, Information Security Officer, Nalcor Energy; and Ted Gary, Senior Product Marketing Manager with Tenable. The three discussed how the disciplines of IT and OT have changed over the years and explored what is needed to reconcile the two in order to improve threat protection, risk management and asset monitoring.

Industrial Digitization 

For decades, OT systems remained outside the control of IT, effectively "air-gapped" from interacting with systems connected to public internet services. By mid-2005, much of that changed as Ethernet became the standard network gear connecting all manner of endpoints, including those within industrial systems.

By late 2010, IT and OT systems had started to converge as businesses began to see the early benefits of digital transformation. Converged IT and OT systems can ease the sharing of information and provide granular data from industrial machinery to help organizations uncover new operational efficiencies.

So, what’s the downside? Connected IT and OT systems expand the attack surface, and businesses need to rethink their risk assessment practices within this converged world. 

Securing converged IT and OT systems is easier said than done. In an ideal world, an organization would build its converged IT and OT network architecture from the ground up, using a reference architecture suggested by the US Department of Homeland Security or another entity. This would take into account the need for features such as a "DMZ" between the IT and OT systems to ensure greater cybersecurity. 

"This is certainly the ideal situation, and if we were going to build an Industrial Control System cookie factory today, this is where we would start,” Parsons said.

In reality, most businesses are faced with trying to secure OT systems which were designed as closed networks years ago and retrofitted repeatedly over the years to meet business needs. 

So, how can a security team even find all the OT assets running on the network?

Wylie and Parsons draw their inspiration from the Center for Internet Security (CIS) and its security control list for Industrial Control Systems (ICS). Specifically, the first three controls, which include inventory and control of hardware assets, inventory and control of software assets and continuous vulnerability management.

From there, security teams can use four different methods to discover assets:

  • Physical inventory
  • Passive monitoring and discovery
  • Active scanning
  • Additive sources

While each of these methods alone can't discover all the assets on the network, when taken together, these four tactics can produce a holistic picture of the converged system, while creating a comprehensive inventory. The key is knowing which method to use for which assets to avoid any unintended downtime. For example, physical inventory and passive monitoring and discovery pose less risk of downtime for OT systems than active scanning, which is best reserved for non-operational systems. 

Patching Smartly

Once all the assets are discovered, the question becomes how to assess the risk and determine which vulnerabilities are worth patching first.  

In most cases, risk assessment is based on the CVSS score assigned to a given vulnerability. However, Wylie suggested security professionals would do well to consider all the various elements used to arrive at a final CVSS number; you might find some of the elements used to calculate the score are less relevant to your particular business, which can help as you look to prioritize your remediation plans.

Additional monitoring and controls can also allow for smarter patching. Parsons cited as an example a situation that might happen at a large industrial energy facility: "An energy organization in the middle of winter finds a vulnerability in software that they are using, and this vulnerability could be exploited by attackers that [are] publicly known at this point. Do they patch? In the middle of winter in an area that is north like Canada, we have a lot of storms and cold weather. It's not an ideal time to change the process, to increase the risk of the system going down because of the patch. Yet, the vulnerability remains, so how do you work around that? [P]atching smartly in this context is really about understanding what is there and how you do controls between now and the middle of winter and perhaps in spring … to keep the actual ICS process up, and patch smartly when you can so you won't disrupt the system. The idea here is to maintain the safety and the ability of operations and that's the utmost."

Risk Management as Part of The Maintenance Lifecycle

How can organizations assess risk when trying to maintain converged IT and OT systems? As Tenable's Gary noted, the risks companies face change over time as new vulnerabilities are discovered and the threat landscape evolves.

Gary said, "When you make changes to devices on your network, you can introduce new risks that need to be mitigated. But I think a key point is, even if you don't change anything, the environment from a risk point-of-view can change. There can be new vulnerabilities that are discovered that weren't there a month ago or a week ago. There could be ones very important to you … there can be new exploits to them, so the threat landscape can change as well."

For these reasons, Gary recommended making risk management part of the maintenance lifecycle of your OT equipment.

Learn more:

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Learn More about Indegy