Solid asset management sits at the foundation of all cybersecurity activities. Enumerating assets into a solid inventory, tracking their current state – including configurations and versions deployed, and mapping their relationships all go a long way toward gaining better clarity into where the biggest risks lie. In ICS settings industrial organizations often struggle to get the kind of OT asset visibility they need to manage and secure the full range of technology assets running their industrial operations.
IT-specific asset inventory and monitoring tools are unable to accurately or safely track OT assets, leaving organizations with a mishmash of manual and siloed collection processes for inventorying OT assets. Not only is this time intensive, the resulting inventory is inaccurate and rarely updated.
This is the fourth in a series of blogs that we have been writing to explain how an OT asset visibility program supported by automated collection can lighten the burden of asset management and offer timely visibility into OT environments. The series has been taking a look at the security benefits this provides industrial organizations – starting with the fundamentals of providing a clear view into what normal looks like for OT infrastructure, and visualizing the relationships between assets.
Further to these principles, another huge set of advantages provided by an automated OT asset visibility program are those around threat detection.
OT asset visibility enables better threat detection
Threat detection and asset visibility tools are like two sides of the same coin in OT cybersecurity.
Asset discovery and monitoring tools made specifically for OT environments feed threat detection mechanisms with valuable context. For example, a threat detection rule that fires because of east-west traffic flow has an entirely different context if that traffic is to an HMI versus a Safety Instrumented System (SIS). Meantime, threat detection tools extend the analysis of what’s going on within OT infrastructure and offer a sanity check for when anomalies present themselves within a managed asset portfolio. That’s because anomalies in asset status, like a workstation being offline when it may have intentionally been taken down for maintenance, don’t necessarily mean that a threat is present.
As things stand currently, the industrial community still struggles to enrich its threat detection capabilities with robust visibility into ICS environments. According to the latest Dragos Year in Review, during 2021, Dragos uncovered that 86% of its professional services customers had limited to no visibility into their ICS environment.
While it is true that a passive network detection approach for threat detection doesn’t necessarily require complete asset visibility to pick up on threat activity operating between assets, it’s definitely easier to identify threats within fully visible assets.
Visibility and an established baseline for asset inventory and behaviors adds crucial contextual clues to speed up threat detection. Certain changes could be good or bad, and the deviation wouldn’t necessarily be something on which an organization would want to trigger an alert. However, asset information coupled with threat behavior data provides greater fidelity for OT threat detection that can tell the difference between changes related to adversary tactics, techniques and procedures (TTP) versus those related to planned operational changes.
The point is that threat detection alone isn’t enough to power an efficient OT cybersecurity program. And asset visibility alone isn’t enough, either. It’s when the two are coupled together that and industrial organizations starts to gain comprehensive threat visibility.