Imagine the following scenario.
You’re the CEO of an independent crude oil pipeline operator serving a dozen fields in the Permian Basin, and the recent ransomware attack on Colonial Pipeline has got you thinking. So far, your company has only suffered a few small-scale cyberattacks, and while those incidents were certainly annoying, they never posed a major threat to business operations. But with the U.S. government warning midstream operators of mounting risk and issuing new cybersecurity requirements, you’re concerned. You decide it’s time to take action, so you call your chief technology officer.
At the beginning of the conversation, your CTO notes that compliance with the new requirements is only possible if your company engages in asset discovery in order to obtain a new, accurate inventory covering all of its information technology (IT) and operational technology (OT) systems. The current inventory, she explains, only covers IT systems. You remember that the CTO and her team were highly satisfied with the cybersecurity vendor that provided the asset discovery services for the existing inventory, so you ask whether that vendor can expand on its previous work. She recommends against it, however, and suggests that the company choose from a range of more specialized (and more expensive) vendors instead.
You ask: Why?
She answers: Because asset discovery in IT environments is just not the same as it is in OT environments.
IT and OT systems are inescapably different
This is, of course, a fictional scenario, but it’s not a fanciful one. Asset discovery in OT environments really is different from asset discovery in IT environments.
The main reason is that the assets involved are different.
Cybersecurity is complicated on the IT side because the systems involved may consist of a wide array of assets – not just servers and desktop computers, but also peripherals (printers, photocopy machines, etc.), Internet of Things (IoT) monitors, mobile devices, and cloud platforms. The number and type of devices capable of accessing the system may fluctuate unpredictably, depending on the need for remote operations.
Nevertheless, these devices have important commonalities. They mostly serve to handle, process, and store data for administrative tasks. They are typically replaced every few years, and many of them are of the same make and model or running the same software. Ideally, they are updated regularly, and their users know to expect downtime when patches are applied or when cybersecurity vendors conduct periodic scanning and testing programs.
Different types of assets – and different types of threats
On the OT side, by contrast, systems may consist of a wide array of assets serving a variety of different purposes. One set of assets may be new enough, it has integrated Industrial Internet of Things (IIoT) monitors to collect data on the performance and condition of the network that can be fed into artificial intelligence (AI) module that draws up predictive and preventative maintenance schedules. Another set may have been in service for decades, remaining reliant on 30-year-old software that was designed by a company that no longer exists or that can’t be updated without voiding service contracts. Yet another set may be outfitted with extra devices that were installed during an emergency situation five years ago and never deactivated.
This type of system is more difficult to subject to asset discovery. Its components differ in age, purpose, complexity, level of sophistication, and level of compatibility. Moreover, they’re all likely to be critical to business continuity. That is, they probably can’t be taken offline without interrupting operations to an unacceptable extent. In the case of our theoretical pipeline company, for example, stopping crude oil flows to apply an emergency patch might help forestall a cyberattack, but it might also result in lost revenues, declarations of force majeure, or lawsuits over breach of contract.
Additionally, the stakes of cyberattacks on OT systems are usually different. If malicious actors interfere with IT networks, companies will lose data, trade secrets, and money. But if malicious actors interfere with OT networks, workers (and perhaps nearby communities as well) will face health and safety risks, and supply chains will be disrupted. For example, cyberattacks might render the independent pipeline company in our scenario unable to prevent ruptures that result in death or injury to maintenance crews and spills that contaminate the environment. They might also trigger fuel shortages if they interrupt deliveries of feedstock to a major refinery.
Gaining full asset visibility
So if operators of OT systems want to engage in effective asset discovery, they have to take account of these differences.
One way to do this is to seek out cybersecurity vendors that are familiar with OT environments – vendors that have experience and expertise in the relevant sectors of the industry. Without that familiarity, your vendor may have trouble setting up an asset discovery program that has the right mix of active and passive identification.
Active identification, also known as ‘standard asset discovery’ relies on software or network-based sensors to scan or ping the network to identify connected devices. By nature, this may slow or disrupt your OT systems, which can be an issue for time-sensitive industrial control systems (ICS).
Passive identification, which tends to be the preferred method, listens to the asset data that exists in the routers, switches, and firewalls at the network layer, as well as data historians, HMIs, DCSs, and SCADA platforms deployed in various control systems. Usually, these are paired with asset or log management and security tools to aggregate and correlate all of the data from these various sources to create a complete asset inventory, with little impact on the environment.
Gaining full visibility into these OT assets starts with packet visibility. And in an asset discovery use case, network TAPs (test access points) play a key role in providing this visibility. They allow you to collect complete traffic data flowing through your network without dropping packets that SPAN ports may have missed. SPAN ports may or may not be available throughout your network, leaving blind spots and unreliable data that could complicate regulation compliance. Utilizing network TAPs and Data diode TAPs, allows you to construct a complete asset inventory without risking disruption to your OT systems.
Looking to add complete packet visibility to your asset discovery platform, but not sure where to start? Join us for a brief network Design-IT evaluation or demo. No obligation - it’s what we love to do.