There’s a common issue in the cybersecurity community: You cannot protect what you cannot see. Asset visibility is the foundation of most cybersecurity activities, but many companies struggle to understand their own network infrastructure. Industry 4.0 and digital transformation have increased connectivity exponentially between operational technology (OT) systems, information technology (IT) and the cloud. Tech servers are expanding, and that creates new potential attack vectors that threat actors can exploit.
According to Major Yair Attar, co-founder and CTO of Otorio — a company that solves real-world security challenges for OT environments — the OT threat landscape has evolved over the last few years to become much more dynamic.
The state of OT security
OT networks are complex environments that are created from many different technology vendors and multi-generation solutions. Technology from decades ago, built before cybersecurity was really an issue, is still in heavy rotation. This means many OT systems are insecure by design.
“[OT networks] now are much more connected and open to the outside world,” Attar said. “This interconnected nature of these systems means that compromise of one part of the network, or one type of digital assets, can potentially cascade and affect throughout the entire environment.”
The threat landscape is also growing dynamically, so it is much easier to attack systems and create an impact. For example, ransomware-as-a-service (RaaS) is a relatively new business model where people or organizations can purchase “off-the-shelf” malware to help run some of the disorganization, even if they don’t have much technical experience. According to Attar, within the last three years, ransomware attacks on critical infrastructure have grown by more than 200%.
How asset visibility can help
Because you can’t protect what you don’t know, asset visibility is the first crucial phase when it comes to strengthening the security posture of the operational environment. To start, organizations must understand what they have in their environment, where it’s located and how it’s connected.
“This is the first step of really understanding, both from an attack perspective but also from a defender perspective, ‘What’s my attack surface?’” Attar said. “Now, I will say that organizations should not fall in love with identifying every last byte of each asset, but it’s really gaining extended visibility into the assets context.”
What does asset visibility mean? It means knowing your assets’ characteristics, relationships, locations and owners. But more than that, you must understand their operational and business impact. Not all assets are equal.
“One can invest in hardening his so-called crown jewels, the most critical assets that he has, without understanding that maybe there’s a much less important asset that is actually connected directly to those assets,” Attar said. “I think those are the critical paths or those are the critical items to gain visibility on.”
According to Attar, there are four key elements security professionals or practitioners should know about when managing an organization’s OT environment.
- Gaining extended visibility: Understanding assets, their interconnectivity, their vulnerabilities and their operational context and impact.
- Gaining the environment security controls roles and impact: Knowing how your security controls are actually configured.
- Understanding the residual risk: What is really exposed? Knowing how much risk you have with your security controls in place.
- Knowing the proper call to action: How to close potential gaps without disrupting operations.
How to get started on asset visibility
When entering the asset visibility journey, a company needs to understand its resources to own and manage its process and technology. Attar said this really starts with people from both sides of the organization: IT security people and operational teams or engineers.
“One alone should not start this journey without the additional support and know-how of the other,” Attar said. “The OT security space is a place where collaboration is needed. For a lot of years, those environments were built to some extent without the security practice in mind or without a lot of security mechanisms in mind. But on the contrary, when IT security folks are entering this domain, they don’t always understand the consequences of taking an action.”
Besides people, the processes and workflows are a crucial part of having a successful asset visibility journey. Answering questions like what do I do with this information, how do I leverage it and what is it for? Companies must make sure this information is being gathered and integrated into workflows. If resources do not exist internally, organizations should enlist a service provider to provide an assessment.
Once those are in place, Attar recommends finding a scalable technology, and the solution should not create a lot of operational noise. You need to identify the technology that can really help you grow and address future challenges. That means it should be able to integrate a lot of data from different sources, exchange data with other ecosystem solutions, serve both operational and security teams, and even automate existing workflows and processes.
For more installments from our expert interview series, check out our Industrial Cybersecurity Pulse YouTube page.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.