Where are your industrial operations vulnerable?

Does your cybersecurity approach sometimes feel like you’re playing a game of Whack-a-Mole – attempting to patch vulnerabilities as they pop up, rather than strategically and proactively managing your cyber risks?

If so, you’re not alone. In a 2016 Deloitte study, only 52 per cent of manufacturing executives said they were either very confident or extremely confident that their organization’s assets were protected from external threats.

A robust asset inventory is a foundational requirement of any cybersecurity program. After all, in order to protect your operations, you need to know what’s in your environment, from machines and other devices on the plant floor to the computers in your offices. Once you’ve built out your inventory you can take steps to address your attack surface, or your vulnerable areas. Beyond that, you can begin to determine which assets are critical to your operations, how to better protect them, and how you’ll respond to and recover from any potential breaches.

Develop your inventory

Depending on your needs and resources, decide the best route for taking stock of your inventory. When determining which approach to take, you should consider what your plant’s network infrastructure looks like: what is your network capacity and how is it configured? Each approach will impact your network differently, so this information is important.

A manual approach is just like it sounds – grab a notepad and pencil and walk around the plant, taking notes on your inventory. You can get a good idea of what’s out there, and this is a cost-effective option, but it has a few downsides. Not only will you likely have a few gaps in your inventory, but it will also be out of date the minute you put your pencil down, as devices may be connecting and disconnecting from your network constantly.

A tool-based approach involves deploying a technology on your network to continuously poll your environment to develop an inventory. These tools can be used in one of two ways: active and passive.

In an active approach, a query is sent out to devices and they are asked to respond by identifying themselves. The downside to this approach is that the constant communication can impact network performance and even cause some devices and machines to go down – particularly legacy devices, as they may not be accustomed to receiving unsolicited queries.

A passive approach is similar, but rather than asking devices to identify themselves via a query, you listen to your network traffic and obtain identity information as traffic passes by. The bonus here is that this approach doesn’t put as much pressure on your network, because it doesn’t involve constantly sending out signals and receiving responses.

An ideal strategy combines these passive and active approaches. It uses a passive listening approach to get a good understanding of what is out there in your environment. Then, it uses that information to inform a more targeted active approach to learn more detailed attributes about a device.

In order to protect your operations, you need to know what’s in your environment, from machines and other devices on the plant floor to the computers in your offices.

Include environmental context

When developing your inventory, identifying what assets you have is just the start. You also need to understand their context. This includes asset locations, functions they may perform, other assets they’re connected to and which of your resources rely on a particular asset operating properly. You should also know which software applications each asset uses. Taking a broader look at your environment, note what zones you may have your assets divided into. For example, a food producer may group its assets into “wet” zones and “dry” zones.

All this information is helpful in developing the full picture of your plant, so that you can begin to prioritize your assets by criticality, which is key to a good inventory.

If you are using a tool to help develop your inventory, it will check your assets against vulnerability databases and flag which ones are vulnerable. This is where the context comes in: you can look at the list and determine how critical an asset is. Managing a vulnerability related to a scrap conveyor drive is probably not as important as one related to, for example, a boiler control system.

A helpful exercise to determine criticality of assets is to use a process flow diagram of your operations. Running through failure modes and impact analysis across this process flow will help determine which zones, areas or machines are critical to the availability of your operations. The assets within those critical areas should be designated as critical assets.

Improve your cyber resiliency

Of course, a cybersecurity program is ongoing. That’s why an inventory tool does more than give you a snapshot of what’s in your plant’s environment. It can help you create a more formal vulnerability management program to protect your business on a continuous basis by constantly monitoring your environment, tracking existing vulnerabilities and looking for new ones that may pop up based on newly released vulnerability disclosures.

Once the foundation is set, you can begin to create a more formal vulnerability management program around it, allowing room for growth and evolution as your business grows and your environment evolves. All of this will help you continue reducing your attack surface and ultimately improve your cyber resiliency. |  MA

_____

Umair Masud is the director of technical security strategy at Rockwell Automation.

This article originally appeared in the October 2019 issue of Manufacturing AUTOMATION.