How To Discover and Protect Your OT Assets

Team Tenable

As the disciplines of IT and Operational Technology (OT) continue to converge, organizations find themselves challenged to provide threat protection, risk management and asset monitoring. It all starts with a strong asset discovery and detection plan.

For years now, CISOs have tried to come to grips with the convergence of two equal but distinct parts of the business — IT and Operational Technology (OT) — and what it means for the overall cybersecurity posture of industrial enterprises.

The first question is: Where to start? 

How best to address this question was the central premise of the Tenable webinar, Practical Industrial Control System Cybersecurity: IT and OT Have Converged, Discover and Defend Your Assets. Hosted by SANS, the webinar featured: Doug Wylie, Director, Industrials & Infrastructure Business Portfolio, SANS Institute; Dean Parsons, Information Security Officer, Nalcor Energy; and Ted Gary, Senior Product Marketing Manager with Tenable. The three discussed how the disciplines of IT and OT have changed over the years and explored what is needed to reconcile the two in order to improve threat protection, risk management and asset monitoring.

Industrial Digitization 

For decades, OT systems remained outside the control of IT, effectively "air-gapped" from interacting with systems connected to public internet services. By mid-2005, much of that changed as Ethernet became the standard network gear connecting all manner of endpoints, including those within industrial systems.

By late 2010, IT and OT systems had started to converge as businesses began to see the early benefits of digital transformation. Converged IT and OT systems can ease the sharing of information and provide granular data from industrial machinery to help organizations uncover new operational efficiencies.

So, what’s the downside? Connected IT and OT systems expand the attack surface, and businesses need to rethink their risk assessment practices within this converged world. 

Securing converged IT and OT systems is easier said than done. In an ideal world, an organization would build its converged IT and OT network architecture from the ground up, using a reference architecture suggested by the US Department of Homeland Security or another entity. This would take into account the need for features such as a "DMZ" between the IT and OT systems to ensure greater cybersecurity. 

"This is certainly the ideal situation, and if we were going to build an Industrial Control System cookie factory today, this is where we would start,” Parsons said.

In reality, most businesses are faced with trying to secure OT systems which were designed as closed networks years ago and retrofitted repeatedly over the years to meet business needs. 

So, how can a security team even find all the OT assets running on the network?

Wylie and Parsons draw their inspiration from the Center for Internet Security (CIS) and its security control list for Industrial Control Systems (ICS). Specifically, the first three controls, which include inventory and control of hardware assets, inventory and control of software assets and continuous vulnerability management.

From there, security teams can use four different methods to discover assets:

  • Physical inventory
  • Passive monitoring and discovery
  • Active scanning
  • Additive sources

While each of these methods alone can't discover all the assets on the network, when taken together, these four tactics can produce a holistic picture of the converged system, while creating a comprehensive inventory. The key is knowing which method to use for which assets to avoid any unintended downtime. For example, physical inventory and passive monitoring and discovery pose less risk of downtime for OT systems than active scanning, which is best reserved for non-operational systems. 

Patching Smartly

Once all the assets are discovered, the question becomes how to assess the risk and determine which vulnerabilities are worth patching first.  

In most cases, risk assessment is based on the CVSS score assigned to a given vulnerability. However, Wylie suggested security professionals would do well to consider all the various elements used to arrive at a final CVSS number; you might find some of the elements used to calculate the score are less relevant to your particular business, which can help as you look to prioritize your remediation plans.

Additional monitoring and controls can also allow for smarter patching. Parsons cited as an example a situation that might happen at a large industrial energy facility: "An energy organization in the middle of winter finds a vulnerability in software that they are using, and this vulnerability could be exploited by attackers that [are] publicly known at this point. Do they patch? In the middle of winter in an area that is north like Canada, we have a lot of storms and cold weather. It's not an ideal time to change the process, to increase the risk of the system going down because of the patch. Yet, the vulnerability remains, so how do you work around that? [P]atching smartly in this context is really about understanding what is there and how you do controls between now and the middle of winter and perhaps in spring … to keep the actual ICS process up, and patch smartly when you can so you won't disrupt the system. The idea here is to maintain the safety and the ability of operations and that's the utmost."

Risk Management as Part of The Maintenance Lifecycle

How can organizations assess risk when trying to maintain converged IT and OT systems? As Tenable's Gary noted, the risks companies face change over time as new vulnerabilities are discovered and the threat landscape evolves.

Gary said, "When you make changes to devices on your network, you can introduce new risks that need to be mitigated. But I think a key point is, even if you don't change anything, the environment from a risk point-of-view can change. There can be new vulnerabilities that are discovered that weren't there a month ago or a week ago. There could be ones very important to you … there can be new exploits to them, so the threat landscape can change as well."

For these reasons, Gary recommended making risk management part of the maintenance lifecycle of your OT equipment.

Learn more:

Read more >

Published on Aug 7, 2019

People also viewed

Senior Financial Analyst - Corporate Development

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Finance
Your Role:Become a core member of Tenable’s internal corporate development team and assist with business, financial and valuation modeling for mergers, acquisitions and other strategic investments and initiatives.  Assist with evaluating elements ...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Technology Internships
Your Role: The Cloud Security Intern will help Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for the cloud that assess risk, keeps Tenable data safe and bake in sec...

Salesforce Administrator

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Business Platforms Business Platforms
Your Role:Tenable Network Security is looking for a Administrator to join our internal business platforms team. The qualified candidate will engage in the administration of Tenable’s instance, play a key role in the ...

Technical Support Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Internships
Your Role: The Technical Support Intern provides consistent, world-class security, network, and product support for specific Tenable products. In serving as the primary liaison between the company and customer, the Technical Support Intern resolve...

Research Intern - Plugin Automation

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Internships
Your Role: Tenable Research is looking for a Software Engineer Intern for the Plugin Automation team.  The position will involve developing frameworks for automated content creation, and processes for validating and publishing the content that is ...

Sales Development Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Lead Generation Sales
Your Role:Tenable is looking for an experienced SDR Manager that will report to the Senior Director of Worldwide Sales Development and is responsible for ensuring the success of the Americas Tenable Sales Development team’s goals, as well as contr...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.