Today, energy organizations are at high risk of facing increasing cybersecurity threats to their industrial control systems (ICS). Since energy infrastructures are crucial, a complex cyber attack could lead to significant safety concerns, damage to reputation, revenue loss, and operational disruptions. Most critical infrastructures still use manual processes to oversee their operational technology (OT) assets and prioritize threat prevention and system patching.

Existing asset inventories in most organisations are static in nature and point-in-time, which are also just a partial snapshot of the actual asset portfolio. As, OT systems are becoming more complex, interconnected and integrated with internal IT systems, organisations with brown fields looking to enhance OT processes will have to find a balance between the automated and manual methods to strengthen their OT asset management processes.

We will focus on OT asset management from a cybersecurity perspective for this blog. Although operational benefits can be obtained from implementation of one or more of the components as part of solutions below. In order to align with industry best practices we will be referring to NIST 1800-023 asset management standard specifically designed for Oil and Gas Sector. Other energy organisations can also take reference from the NIST standard and utilise the guide below to manage assets and minimise risk exposure associated.

To make this blog more interesting and practical, we will utilise one of the automated asset management tool to demonstrate how assets can be managed in real-time or near-real-time.

Issues and Challenges

As it is said before if you want to run, learn to walk. So, before we even began to talk about controls and best practices let us address the issues faced by many in the field and tackle the root cause of cyber security risks. As a concept OT asset management typically sound simple and easy to follow, but ICS brown fields showcase the practical challenges that appear while implementing asset management practices.

It’s essential to understand that the landscape of cybersecurity is constantly evolving, presenting new challenges and threats. In the realm of industrial control systems (ICS), the importance of comprehensive asset management cannot be overstated. By identifying and addressing the practical challenges that arise in ICS brown fields, organizations can effectively mitigate potential cybersecurity risks.

In many cases, the complexity of ICS environments can pose significant obstacles to seamless asset management. These challenges may stem from legacy systems, inadequate documentation, or the integration of new technologies with existing infrastructure. As a result, ensuring effective asset management practices in ICS environments requires a nuanced understanding of the interconnected systems and processes at play.

By acknowledging and addressing the practical challenges faced in implementing asset management practices, organizations can proactively enhance their cybersecurity posture. This holistic approach not only mitigates risks but also fosters a culture of vigilance and adaptability in the ever-changing landscape of cybersecurity.

1. Absence of company wide security strategy developed to address the security requirements.
2. Asset portfolio is diverse and spread across a large geography.
3. Manual approach is slow and obsolete and is not able to keep up with the evolving technology and security trends.
4. Automated tools are difficult to manage and requires expertise over technology platforms.
5. Organisations are exposed to cyber security risks due to lack of awareness regarding asset in their infrastructures.
6. Vulnerabilities in OT are a prime target for malicious actors as OT system becomes more interconnected with IT.

Phases of Asset Management Life Cycle

The key principle is to follow a structured approach to break the complex asset management process into the core elements and move forward addressing each piece at a time. As per NIST 1800-023 there are 5 key elements in the asset management process, which are as below:

1. Discovery: According to an old saying “You cannot defend what you cannot see”. The first element in asset management life cycle is to know what you own. Many organisations lack in this first basic element, they do not have and/or do not maintain asset inventory, which could be due to lack of skills, awareness, resources, etc. Discovery is the most critical step of all the elements, every process owner should be aware about the complete asset portfolio, before they began to think about any sort of controls. Discovery is not just about knowing what is connected it is also a way to understand your device behaviour, often termed as baseline. Asset baseline information would also help us during the last phase which is “Alerting” to understand the malicious behaviour.
2. Identification: Once we have captured what assets are connected, we need to capture their attributes to differentiate from one another. The idea is to capture fields such as manufacturer, model, operating system, firmware version, IP, MAC, patch-level information. This information would help the ICS security engineers to know their systems better, respond to security and operational incidents.
3. Visibility: The process of discovery of assets and collecting their attributes has to be continuous in order to capture any changes to the OT asset portfolio. The ultimate idea is to perform continuous identification of newly connected devices routable or non-routable. As we know without adequate visibility we cannot really protect our infrastructure.
4. Disposition: As we have already discussed the importance of risk assessment and how we can realise huge gains. Other than evaluating the risk rating Disposition phase also has another part where interconnections related information is captured as part of the asset attributes collection process for e.g. we should know and understand how a device at level 3 communicates with another device at level 2, using which route, which protocol/service, what are their basic attributes, etc. In order to keep it simple organisations can start with a 5-tuple approach where following fields can be captured to understand the interconnections SRC IP, DST IP, SRC PORT, DST PORT and Protocol. This information might look very basic but can be very useful and effective when troubleshooting and addressing security incidents.
5. Alerting: Information from the above phases can be utilised to effectively monitor deviation from baseline. Organisations do we have SIEM like tools configured in OT, but they lack customisation to practical real-life cyber threats. Most of the alerts used to perform incident and event monitoring would be based on pre-build rules and would generate false positives. Identifying threats pro-actively is another area we will be discussing in detail.

Each individual elements discussed above of the asset management life cycle has its own benefits but holistically organisations can be benefited with reduced cyber risk exposure, reduce impact of safety issues, operational risks, faster response of cyber security events/incidents, automated cyber security capabilities, alignment of industry best practices and partial compliance to regulatory requirements.

How does the process will look like in practice

If you would like to receive a high-res copy, please send me an email charit0819[at]gmail.com

recommendatiONS

The ultimate agenda of practicing asset management in ICS is to minimise and manage risk of cyber security incidents whilst optimising operational cost, have an updated asset inventory and continuous visibility. The NIST standard would help organisations to understand and implement technology solutions that provide following capabilities. The recommendations listed here refer to NIST 800-53 R5, please download the latest copy for more details.

• ID.AM-1: ICS physical devices and systems shall be inventoried
• ID.RA-2: Threat and vulnerability information shall be received from forums and resources.
• ID.DS-2: Data in transit has to be protected at all times.
• ID.DS-6: Integrity-checking mechanisms are used to verify software, firmware, and information integrity.
• PR.MA-1: Maintenance and repair of organizational assets are performed and logged in a timely manner, with approved and controlled tools.
• PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
• PR.PT-4: Communications and control networks are protected.
• DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed.
• DE.AE-3: Event data is aggregated and correlated from multiple sources and sensors.

The recommendations mentioned can be utilised strategically by individuals and/or organisations who are responsible for managing OT assets. It would be also useful for professionals from the industry, students, or any organisations looking forward to enhance their knowledge and/or existing practices of asset management.

For green field projects all assets shall be tracked from the beginning, whereas for brown fields we can start small (scope out) and keep on capturing and monitoring the environment. The amount of assets might feel overwhelming which is quite common but make sure you plan to scope out before you even began. It all depends what sort of technology tools have been already implemented in your ICS and how you are currently managing your assets. With a least budget and a well laid strategy you can get control of the asset inventory.

AUTOMATED Asset inventory management tool

GRASSMARLIN is developed by NSA cyber security team, it is an open source tool that provide real time visibility in OT. The tool is pre-installed and configured with 100s of OT related protocols, which enables it to capture the communication details, asset information such as (IP, MAC, OS, etc.). It is an easy to deploy application which require two s/w (Java and Wireshark). if not installed already GRASSMARLIN will download and install during deployment.

To depict how convenient a tool can be I myself tested out an open-source tool developed for managing ICS assets. I have tested the tool in my personal lab where I have couple of machines such as a root domain, child domain, few engineering workstations, 1-2 operator workstations, 2 logical controllers (Modbus and DNP3) and one event monitoring tool (SIEM).

Below are few screenshots from the GRASSMARLIN tool where I was able to prepare the network layout, list of machines, group them based on attributes, check who is talking to whom over what protocol.

The intention of depicting automated solution is to bring awareness among the asset owners and engineers who are struggling with capturing such basic details. It is highly advisable to test the tool in a lab environment before deploying in production. Do not use this article as the basis of installing the software in your network. Use the details presented here to break the complex process and manage the risk associated with asset management adequately.

References

NIST 1800-023: https://www.nccoe.nist.gov/publication/1800-23/

NIST 800-53 r5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

IEC 62443 Standards: https://webstore.iec.ch/preview/info_iec62443-3-3%7Bed1.0%7Den.pdf

GRASSMARLIN: https://github.com/nsacyber/GRASSMARLIN

SANS: ICS Asset Identification: It’s More Than Just Security