How to Use Asset Management as the Foundation for OT Network Segmentation

Michael Piccalo | October 21, 2019

What do you consider the most foundational activity of any solid cybersecurity program? In my opinion, and many others’, it all starts with knowing what your assets are. This is also reflected in many of the top controls and standards that we follow today, such as the SANS Center for Internet Security (CIS) Top 20 Critical Security Controls (CSC), where the top two “Basic” controls include:

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets

Similarly, the first function of the NIST Cybersecurity Framework (CSF), the Identify Function, develops an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

Asset management provides the foundation on which many other elements and controls in an organization’s security program are built upon, including network segmentation.

Let’s face it, as we see more and more Internet of Things (IoT) devices and industrial devices connecting to both our business networks and our operational technology (OT) networks that help enhance efficiency and drive bigger bottom lines in our organizations, we are faced with a tradeoff – an expanding attack surface.

Our cyberthreat landscape isn’t getting any simpler, either. The volume and sophistication of cyberattacks, regardless of the target (IT or OT), continues to grow. Unfortunately, in my experience, it is not that uncommon to see malware in our sensitive industrial networks. Contrary to what some may think, malware doesn’t have to be malicious in nature to have harmful effects. Take, for example, crypto-mining malware designed to consume just a little bit of processing power from the targeted asset(s). To the layman, this may not sound too bad. But, depending on what the asset is, its function, what it is communicating with, and other factors, the results of just a little bit of latency can have drastic impact – just ask an engineer who knows the ins and outs of these systems!

While this was a simple example, there are a few basic points that we can take from it to incorporate into our cybersecurity program, including:

  • Know your complete asset inventory – across the enterprise
    • This helps us to know all potential points of ingress and egress
  • Know your asset configurations and be able to identify when they change
  • Know the normal behaviors of your assets and who they should be communicating with
    • This will help to determine non-essential communications, including lateral movement and command and control (C2) beaconing of potentially malicious entities
  • Understand the function of the asset and the implications of that asset becoming unavailable
  • Understand the risk level associated with each asset, especially OT assets, including both from a security perspective, as well as from an operational perspective
    • Each perspective is important in a different way to different groups in the organization

Enter Forescout SilentDefense 4.1… For those of you who follow our blogs, you already know the deep OT visibility that SilentDefense is known for. But how can you best use that rich data? Oh, let me count the ways…

First, as I had mentioned in the beginning of this, you have to know what your assets are – all of your assets – as this becomes the basis of many other mitigating controls that should be in place. As more and more cyberattacks are in the headlines these days, many organizations, including industries at large, are getting wise to the growing threat of malware and the potential implications of a disruption to their operations. As a result, many of these organizations are now in the early planning stages of their network segmentation projects to separate the critical industrial network from the business network. Others are taking further steps to implement even more segmentation to help prevent lateral movement and minimize collateral damage from infected systems. While these projects can seem like an intimidating undertaking, there are simple ways of leveraging asset management data to significantly ease the burden of network segmentation.

With a complete asset inventory of the OT environment in hand, complemented by the classification of those assets by function, such as Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs), Engineering Workstations (EWS), and other asset types, an organization might have a pretty good start on determining what segment a device might reside in, especially if the Purdue Model architecture is followed. When this information is combined with the alerts and known vulnerabilities associated with those assets, who they are communicating with, including both inbound and outbound, the ports and protocols used, volume of data, and other pertinent details, the information becomes that much more meaningful. This information alone can be used to define the basic policies needed for restricting access according to the principle of least privilege.

But we didn’t stop there. In the newest version of SilentDefense, Forescout has introduced the Asset Risk Framework, which delivers a much needed, quick evaluation of the OT network’s risk posture from both a security perspective as well as from an operational perspective. Incorporating both of these perspectives is key to quickly surface the right level of detail to the stakeholders who need it, whether they are working to implement the appropriate mitigating controls around an asset or focused on keeping the plant running – the needs of both have been met. I won’t go into the details of the Asset Risk Framework here, as you may have already read Damiano’s great article on this topic.

So how does this new Asset Risk Framework help with your network segmentation project? While understanding the asset function and communication flows are key elements in determining the most appropriate architecture for an organization, the combined security and operational components that make up the asset risk score provide an essential, intangible element to the equation that was previously missing. This risk score can be adapted to the needs of the business and the risk appetite allowing for the calculation to be determined based on what matters most to the organization.

That said, those assets assigned a higher risk score, be it security or operational, should have commensurate mitigating controls in place. In terms of network segmentation, this can equate to the asset residing in its own security zone with enforced multifactor authentication to a very small subset of users. Additionally, there may be further controls that can be implemented that include additional logging, application-level controls, intrusion detection, or even intrusion prevention where it is feasible and where it makes sense in an OT environment. Again, this comes down to the risk score assigned to the asset balanced with the needs of the business – and configured through the flexibility of the Asset Risk Framework.

So, as you plan your next network segmentation project, keep in mind the rich OT asset data from SilentDefense that can help make this a much easier endeavor.

Stay tuned for more details next month on a brand-new feature that will provide a quantum leap forward for any network segmentation project!