I’m not anti-asset inventory. It’s a key part of asset management and maintenance without regard to reducing OT cyber risk. In fact I’d be more amenable to Operations prioritizing establishing and maintaining an asset inventory than OT Security.
At the right point in your OT security program it is the right thing to spend your resources on. Not because an asset inventory will reduce risk. Rather because it will be necessary for other security controls that will reduce risk.
The messaging and priority placed on establishing an OT asset inventory has been wildly successful. Over and over I’ve talked with asset owners who are just beginning their OT security program and priority 1 is document the asset inventory, typically via the purchase of one of the OT detection products.
Even with PLC’s and controllers directly connected to the enterprise network, any employee can access the PLC’s on any port, they believe they should purchase one of these asset inventory tools and take the many months to establish an asset inventory. Crazy. I’ve helped convince some to change priorities and in other cases not. They felt buying the product would satisfy management for a period of time.
You should evaluate where you place your OT security resources on an efficient risk reduction criteria, whether you are assessing your own system or hiring a third party. Where will you achieve the most risk reduction for the next hour or dollar spent? Remember to consider both likelihood and consequence reduction actions.
An efficient risk reduction criteria pushes asset inventory outside of most top ten lists for those beginning or in the early stages of their OT security program.
Don’t I need an asset inventory for patching? Not for the most important security patching. The prioritized patching of the small number, hopefully, of cyber assets accessible from outside the OT zones.
In most cases I’d even prioritize the detection and incident response / forensics capability of the tools from Armis, Claroty, Dragos, Nozomi et al over their use for asset inventory. Taken a step further the efficient risk reduction ordering of benefits of these products are:
- Forensic support for Incident Response due to important data retention and minimal ongoing labor
- Detection where the ongoing labor cost varies a great deal. Screaming, low false positive alerts only are lower cost. Having OT expertise reviewing in real time is high cost.
- Asset Inventory. Are you going to spend the money to put sensors everywhere to collect the data? Are you going to allow active probing to gather data? And again you are not getting risk reduction by having an asset inventory. It is a foundation that allows other controls, that also cost time and money, to succeed.
I’m guessing many disagree with this based on the popularity of the asset inventory first movement in OT security. If this is you, perform the exercise. Write down your likelihood and consequence reduction options. Keep it simple. Rate each as high, medium or low in resources and risk reduction. Then sort the list from low resource / high risk reduction to high resource / low risk reduction. Then, start with the items at the top of the list.
The great news is if you are early in your OT security program you will get some massive risk reduction at a very low cost.