My article last week debunked the claim that “you can’t protect what you don’t know”. Many of the public and private comments insisted that an asset inventory is required to provide any protection. And stressing it is foundational, one of the first things that should be done in a OT security program.
Ok, I’ll play along. Let’s agree that you can’t protect what you don’t know. What does know mean? How much do you have to know before you can protect the cyber asset, system or cyber/physical process?
- Can we protect if we know the IP address, device name and description?
- Do you also need to know the version number of the key application and OS … and what else?
- Do you need to know physically where it’s located?
- Do you need to know it’s communication patterns?
- Do you need to know it’s criticality?
- Do you need to know the secure configuration parameters?
- Do you need to know if there is redundancy for this component?
- Do you need to know the owner, person in charge of maintenance, support contract and vendor info?
- Do you need the change management log?
- And so on. If you look at a mature asset inventory tool there are a lot of possible fields.
When the choir sings you can protect what you don’t know, what does this mean? At some point the diminishing returns mean the effort to create and maintain the increasingly detailed asset inventory should be placed elsewhere.
For each of the asset inventory items, how complete and accurate does the asset inventory need to me. Can I provide protection if I only have 80% of my assets in the inventory. 95%? 98%? Can I protect if I know more details about only critical cyber assets? So many questions.
We are hearing now that SBOMs are essential as well. Can you protect a cyber asset or system if you don’t have a complete SBOM as part of your asset inventory? To really know a cyber asset you need to know all its components.
I worry that our attempt to hold on tightly is running into the headwinds. The trend is more cyber assets in the environment and changing more often and more quickly. The install and don’t touch for decades era where you could have a static and detailed asset inventory is fading away. There may be a parallel between the increased reliability achieved through some of what was originally considered heresy with DevOps.
Here’s a surprise … cybersecurity is only a minor, auxiliary use of an OT asset inventory and management. Not the driver or primary beneficiary.
In fact, the security and asset inventory combination in OT detection products happened by accident. Dragos even fought in the early years including an asset inventory in their platform. Most of the potential buyers / engineers viewing demos in 2016 – 2018 were impressed with the information about their systems gleaned from passive monitoring. The idea of detection was of interest, but the immediate need and what made the sale was some basic asset inventory information. They were comparing what they saw in these products to incomplete, out of date spreadsheets, and often those didn’t exist.
Cybersecurity, detection, SIEM, analytics, et al, will be a minor customer or interface to the asset inventory. They consume asset inventory information when necessary and provide an alert when something not in the asset inventory is seen.
Next Week: Part 3 … The Right Way To Create And Maintain An OT Asset Inventory (hint: the predominant way it is done today is one of the worst)