Much of the OT and ICS security community’s efforts and focus in recent years have been placed on creating and maintaining an OT cyber asset inventory. Now we are hearing it is not enough to know basic information such as vendor, OS, application, version numbers, and IP address. We need to know detailed information about every component that comprises each cyber asset in the form of software and hardware bills of materials (SBOMs and HBOMs).
This is stated most succinctly in a phrase that has become orthodoxy: You can’t protect what you don’t know.
This is not true.
Safe deposit boxes in banks are a simple example. The bank has no knowledge of what is in your safe deposit box beyond the fact that it is small enough to fit in the box. Most safe deposit box renters do not create and maintain an inventory of what is in their safe deposit box. The renter has an idea of what is in the box, much like an asset owner has an idea of what is their OT environment.
A safe deposit box is protected. Physically secured and requiring two factor authentication, in the form of a renter key and bank key, to access normally. The protection isn’t perfect. With access to the room and enough physical force the protection will fail. Having a perfect asset inventory would not result in perfect protection either.
I’m not anti-asset inventory or SBOM, but the priority and orthodoxy worries me for three reasons.
- Asset inventory and SBOM contributions to OT cyber risk reduction is unproven. It still is the early days of asset inventory and SBOM in OT. What if we find the benefits of creating and maintaining detailed asset inventory / SBOM work isn’t worth the cost? What if the pace of change in the introduction of new hardware and software in the “system”, which appears to be the future direction, makes having a highly accurate asset inventory near impossible. It sounds logical that an asset inventory is necessary and important to reduce OT cyber risk, but it is unproven at this point. It also sounds logical that patching all OT cyber assets is a key element of reducing OT cyber risk, and this is demonstrably untrue.
- Creating asset inventory is touted as one of the first things an asset owner should do as part of their OT cybersecurity program. In the last year I’ve talked with multiple asset owners who were planning on beginning their OT cybersecurity program by creating an OT cyber asset inventory despite the fact they had no security perimeter between OT and IT. Last year I wrote two articles on the first six steps of an OT cybersecurity program maturity model (Part 1, Part 2). Creating an asset inventory was not in the first six maturity model levels, and not required to be successful at those first six levels. While actual OT cyber risk reduction benefits are still unproven, I’m inclined to believe that an OT cyber asset inventory should be part of an OT cybersecurity program. It isn’t one of the high priority items for those beginning a program.
- This mantra limits creative thinking, new ideas and different solutions. The safe deposit box example in this article came to me as I was working on my mini-keynote for S4x23 related to the event’s theme: Explore. This example was more applicable to the S4x22 event theme of No Limits. Specifically the flip technique. Where we take a mantra and imagine a world where the opposite was true. Going from “you can’t protect what you don’t know” to “there will be many unknown and ever changing cyber assets that you need to protect”.
The safe deposit box has many things going for it that helps with protection: the physical security a bank already has for other reasons, a trusted staff, detection in the form of cameras and alarms, and procedures. The OT environment also has many advantages over a typical IT system. OT is special purpose limiting who needs what on the system. OT is monitoring and controlling physical systems. An attacker can only make the physical system do what it is capable of doing based on the I/O and physical limitations. Consequence reduction is often easier in OT.
We need the creative talent in the OT security space, and those entering this space from outside, to challenge orthodoxy, like “you can’t protect what you don’t know”, and develop new approaches to manage OT cyber risk. They might fail. We need more failed ideas in OT cyber risk management.