Why is the OT/ICS asset inventory the core of a cyber security program and what does it mean?

In their OT/ICS environments, many industrial enterprises seek an accurate asset inventory. All operators request the operating system/firmware and hardware versions, while some also request connections, ports, and services, or a full software inventory. Still, other operators request further in-depth information on those OT assets, such as users, patches, known vulnerabilities, etc. Others go further by including details on the asset's location (cabinet or rack), criticality, or even a picture of it.

What Information Should an OT/ICS Assets Inventory Contain?

The objective will determine the response. Industrial enterprises frequently include an accurate asset inventory as a component of their OT/ICS security program. The saying "you can't safeguard what you can't see" is frequently used. The OT/ICS asset inventory should serve as the primary basis upon which the whole cyber security program should rely, yet this phrase and many inventory initiatives fail to take this into account.

What is an OT/ICS Asset Inventory?

The correct and timely collection of hardware and software data used in industrial control system environments is known as OT/ICS asset inventory. At a minimum, a comprehensive OT/ICS asset inventory contains the following categories of data:

  • A list of every hardware system in the environment, including IP, serial, and other devices, both on and off the network. This needs to contain the make and model as well as important details like RAM and storage.
  • A thorough software inventory that includes the firmware, applications, and operating systems
  • A list of each asset's users and accounts, including any that are dormant, shared, local, or admin.
  • OS and application software patch status
  • Known vulnerabilities, their CVSS ratings, probable remedy options, and attack vectors
  • Configuration settings to check whether the device's ports, services, passwords, etc. are configured securely.
  • Network connections, potential routes, and current network security measures
  • The status of antivirus and other security programs, including whether they have been updated
  • Backup condition
  • Location data, such as rack, cabinet, building, etc., to facilitate quick physical asset finding
  • Information on criticality to assess the value of the asset to the process

The list of asset inventory components contains a lot more details than some might think possible or necessary. However, as the company increases its investment in cyber security, this kind of asset inventory pays off. A strong OT/ICS cyber security program is built on the foundation of this kind of asset inventory.

Why is the Foundation of OT/ICS Security an Asset Inventory?

An extensive base of asset information is necessary for both IT and OT cyber security to be effective. Because there are so many technologies available to obtain this information, security practitioners in IT are accustomed to having comprehensive asset information. They use this information as the basis for their security. For illustration:

  • A complete software inventory is a requirement for patch management. The inventory serves as the foundation for identifying patches.
  • Secure setups are crucial for security, but they must be maintained using accurate, thorough, and timely asset inventory data.
  • Access to each device's backup status is necessary to guarantee that it is current and correct and to ensure robust recovery processes.

These are only three simple instances of how asset inventories might serve as the framework for a program to protect against cyberattacks.

However, users of OT/ICS generally lack the resources necessary to compile and maintain such an inventory. As a result, perimeter defenses and possibly passive detection of aberrant events have historically been the foundation of OT/ICS cyber security systems.

Contact us