Many of us have accepted that having a 100% accurate inventory of “all the things” (networks, assets, data flows, etc.) is a pipe dream. To put it in NIST CSF terms, if you wait until you master the IDENTIFY function before you do anything in the remaining functions (PROTECT, DETECT, RESPOND, RECOVER), you will likely fail at securing even the most basic environments. So, the condition that Jeremiah Grossman describes in the tweet below is the reality that we live in most of the time:
Like most things in life and security, however, knowing what is on your networks is not a binary function. Looking at the spectrum from “current state/knowing little to nothing” to “100% accurate understanding”, there is an in-between state where we can enable more effective defense through better understanding of the environment. This is especially true in the Industrial Control System (ICS) / Operations Technology (OT) space.
We have had the opportunity this year to perform OT security assessments where we completed a thorough asset and architecture discovery process including baseline asset inventories and network diagrams as deliverables. We can talk more about techniques in a future post, but our approach includes a combination of active and passive discovery activities combined with a site walk-down where we perform manual inspection of devices and following network cables. The client feedback from this approach has been overwhelmingly positive.
Three reasons why you should consider this for your next ICS/OT security assessment:
1.) A physical walk-down exposes vulnerabilities that you may never discover with online assessment techniques.
Online scanning and passive discovery have their place and we use them regularly, but there are some things they will never tell you about an environment. For example, in a recent assessment we discovered some embedded devices that were dual-homed because they spanned two groups’ areas of responsibility. Neither of the two groups responsible were aware they were dual-homed and were creating a significant exposure as a result of the way they were connected. That’s just one example, but there are many more including discovery of 3rd party connections in just-in-time supply chain applications in manufacturing, whole IP networks hidden behind multi-homed controller backplanes, and numerous others.
2.) There are significant efficiencies to combining the asset and architecture discovery with a security assessment vs. doing these activities independently.
Good ICS vulnerability assessments have always included some aspect of a discovery phase as a necessary part of understanding the attack surface, but it often is not performed to the level described here, where you can actually generate a baseline inventory and set of diagrams. If you’re starting down the asset discovery path anyway, why not take on the small extra effort to fully understand what is there? We have witnessed that executing these activities together will yield better results for both objectives and has the added benefit of minimizing the number of interruptions to your operations and personnel.
3.) This type of asset and architecture discovery is a prerequisite for automated asset discovery tools.
But wait, you say, we have a software tool that will automate all of this so why go to the effort? Many of these environments have been bolted onto over time, resulting in a massively distributed switching infrastructure. How will you know where you need to implement span ports or network taps without some type of discovery process? The answer is that you won’t in most environments and, without the discovery process, you may be missing some of the networks and assets most critical to your production processes.
While it’s true that the 100% accurate understanding may be unattainable for now, there is significant upside to working toward it. If you are conducting a security assessment anyway, you should take advantage of the opportunity to ask for a baseline inventory (or validate what you already have) and generate a good set of logical network diagrams that are all-too-often missing for ICS networks. As we have witnessed, the results can include everything from identifying previously unrecognized inherited risk, facilitating better communication between IT and OT personnel, to enabling more effective and efficient incident response.