One of the most common OT Security mantras this decade is “You Can’t Protect What You Don’t Know”. Have you heard that one? It implies that without an accurate and detailed asset inventory you can’t protect cyber assets. You Can’t Protect What You Don’t Know.
This is provably wrong. Consider the contents in a safe deposit box in a bank or anything locked away in a drawer in an office. You may not know what is in that box or drawer, and yet its contents are protected by the physical security of the building, office, and box or drawer. There can be guards and guns monitoring the entrances and roaming the halls protecting some unknown and unspecified valuables. You can have cameras and motion detectors identifying threats and triggering a response.
We see the equivalent in the cyber world. You can have a firewall providing protection at the OT security perimeter without knowing what’s behind it. Two-factor authentication for remote access to the OT environment is protecting unknown cyber assets. Even the OT detection products that create asset inventories and often say “You Can’t Protect What You Don’t Know” are in fact detecting attacks even if there is no asset inventory.
What might be fair to say is “You Can Provide Better Protection If You Know What You’re Protecting”.
How much better? and at what cost? Is an asset inventory that is 80% accurate better? How much better than an asset inventory that is 98% accurate? How much does it cost to create and maintain these asset inventories? How much improvement in our key mission metrics will be achieved and at what cost? We’re not even trying to answer these questions. I’d encourage you to start.
This is an excerpt from my keynote: OT Security … From Speculation To Science. I have more thoughts on asset inventories for OT, but I want to let this one sit here for a minute. We should be careful about repeating popular mantras that are clearly wrong, and we need to be measuring the effectiveness of every OT security product / project / policy that we choose to pursue.