As the Industrial Internet of Things (IloT) attack surface expands, traditional network-based asset discovery methods, like ping sweeps or manual inventories, are proving obsolete. While these methods provide broad visibility into your cyber-physical systems (CPS), they lack accuracy and miss the relationship between devices.
Improving asset discovery is top of mind for internet technology (IT) and OT leaders looking to address CPS vulnerabilities. According to a recent survey, when a cyberattack occurred earlier this year nearly one-third (32%) of respondents indicated both IT and OT systems were impacted—up from only 21% last year.
OT asset discovery is the foundation of any strong industrial cybersecurity strategy — laying the groundwork for all other cybersecurity controls. Keep reading to gain a better understanding of what makes OT asset discovery work, the importance of implementing it in your organization, and the clear ways it provides greater asset visibility.
Operational Technology (OT) refers to the system of hardware and software used to control and monitor various processes in the industrial space. OT asset discovery provides visibility to each of these devices and systems on the network.
While traditional methods provide broad visibility into your CPS, they lack accuracy and miss the relationship between devices. On the other hand, OT asset discovery is a detection method that scans and inventories the OT assets on the network without disruption. This passive network scanning pinpoints IP addresses, port numbers, MAC addresses, and other identifying information from OT devices.
Through this identification and detection system, asset discovery can map out the devices on the network and inventory each asset, allowing for effective implementation of cybersecurity controls and appropriate OT vulnerability management.
Suppose you already have a program in place for IT asset discovery. In that case, you may be wondering whether it covers your OT environment or whether you need an approach to OT asset discovery at all.
It is important to note that there is a stark difference between asset discovery in OT and IT environments. For example, while IT environments contain various assets, these devices share key commonalities, are usually replaced every couple of years, and typically run the same type of software. They can even be the same make and model.
Devices on the OT side, however, are systems of assets that serve many different purposes, are usually not the same make and model, and don’t always run on the same software. Organizations don’t replace these assets as frequently, and you can often find devices that have been used for decades and run outdated software.
For these reasons, your approach to OT asset discovery requires a drastically different approach than IT asset discovery. But, while it may also require a bit more effort to secure your OT assets, the reasons for doing so couldn’t be more critical.
In 2023, only 13% of OT professionals considered their organizations’ OT security posture “highly mature,” dropping from 21% in the previous year. Plus, when a cybersecurity attack occurred, 32% of OT leaders indicated it impacted both their IT and OT systems. Organizations are increasingly aware of their need to invest in IIoT security to protect their OT infrastructure.
Understanding how to protect the OT devices on your network requires complete visibility of all your assets. However, having that knowledge isn’t the only reason asset discovery is crucial to protecting devices in the OT environment.
First, it’s always vital to remember that OT assets are critical to business continuity. Any downtime could lead to the severe disruption of operations essential to the functions of your organization, with potentially irreversible financial losses.
In May 2021, Colonial Pipeline, the organization that operates the largest fuel pipeline in the US, fell victim to a ransomware attack that targeted its OT assets and disrupted its operations for several days. The attack led to financial loss for the company and fuel shortages, panic buying, and price spikes in some parts of the US.
In addition to disrupting operations, malicious attacks like malware injections, ransomware attacks, and insider threats could lead to irreparable health and safety risks for workers, clients, and patients. For example, an attack on a healthcare organization can lead to medical errors such as misdiagnosis, incorrect treatment, or even delays in responding to emergencies. Understanding your OT assets is the first step in implementing effective medical device risk management.
The key objectives of OT asset visibility include:
Visibility - ensure all assets in your network are mapped and inventoried - you can’t protect what you can’t see.
Security - protect OT assets from malicious threats, including malware, ransomware, and insecure remote access.
Operational efficiency - prevent disruptions to your operations and minimize possible downtime to maintain efficiency.
Compliance - uphold strict compliance with regulations such as NIS2, NERC-CIP, and SOCI, as well as many other industry-specific ones, to ensure a safe environment and smooth operations.
Now that you understand the stakes in the OT environment, what asset discovery aims to provide, and the importance of implementing an OT-specific strategy, let’s uncover the five critical steps to achieving complete visibility.
One of the most important functionalities of asset discovery is identifying each device in your network. But what exactly does this mean in practical terms? When identifying devices, asset discovery must uncover more than just the basic details; rather, it must be an in-depth look at everything you might want to know about an asset. This includes model, firmware version, and configuration information.
With this information, your organization can rely on an accurate asset inventory, allowing you to fully understand and manage every asset on your network to secure your environment.
Visibility in asset discovery isn’t just about keeping an accurate inventory of OT devices but also understanding user activity within the network, how assets communicate, connectivity paths, and where they fit within the overall environment. This multidimensional visibility is essential for complete operational resilience and understanding what a “normal” behavior baseline looks like to detect threats better.
Adopting network topology in 3-D requires investing in a third-party solution like Claroty, which leverages advanced technologies to provide deeper insight into your interconnected devices and communication paths.
Passive monitoring is typically the first technique that comes to mind for inventorying and mapping OT assets. Cybersecurity tools copy data from your industrial network and process it in a passive, one-way transfer. This system is favored because it has little to no impact on industrial operations.
Another technique that can provide visibility into the more complex layers of the network is Active Queries. Although an active measure, these queries operate in a non-disruptive manner so as not to interfere with typical traffic and can delve deeper than passive monitoring in some instances. By communicating with devices in the precise protocol each is designed to allow, active queries can extract the most granular data. Mix and match these methods to gain a more granular view of your OT environment.
If, for any reason, you can’t identify OT assets through passive monitoring or active queries, Claroty’s AppDB is the next technique to employ to improve discovery. Claroty’s AppDB, short for Application Description Database, is a proprietary database that contains highly detailed information about industrial protocols, devices, and applications in OT environments. It offers a much more comprehensive view of your assets, their communication protocols, and behavior patterns, giving you another layer of visibility and security.
The AppDB discovery method injects parse backup configuration files for your OT assets. It can discover assets and render precise visibility without connecting them, preventing you from having to track down the device and get it on the network. This method can be beneficial when your devices are disconnected from the system or air-gapped.
Network segmentation protects against cyber threats occupying the OT environment and allows specific groups of assets to communicate with each other in typical circumstances.
With a greater understanding of your network topography, it becomes easier to identify opportunities for segmentation following the Purdue Model. This model categorizes industrial control systems into distinct security zones based on their function and criticality. It builds a hierarchic architecture that facilitates segmentation, enabling you to improve network security, performance, and management.
Implement localized security controls, Web Application Firewalls, and stringent access requirements to reinforce security across your network segments and facilitate monitoring. Assess and update your segmentation policies to reflect business needs and challenges.
Protecting your OT devices starts with asset discovery and comprehensive visibility. This is the first step to safeguarding your industrial operations, ensuring business continuity, and staying ahead of adversaries. However, the strength of these measures is only as strong as your cybersecurity partner.
Claroty offers the most complete OT cybersecurity solutions, brought by experts who have seen it all. Work with our experts to discover how you can best apply these measures to your OT environment and begin adopting essential asset discovery procedures. Request a demo to get started.
7 Ways to Improve Asset Visibility
Feature Spotlight: OT Activity Event Alerts
Best Practices for Securing Industrial Environments: Build Comprehensive Visibility
Interested in learning about Claroty's Cybersecurity Solutions?