By now I think we all understand the importance of knowing what devices are connected to your operational technology (OT) networks. After all, we’ve heard over and over from the experts that “you can’t protect what you can’t see“. And there is a foundational truth to this that we all probably agree with. As you may have guessed from previous blogs, presentations, and other posts of mine, I am in full agreement that all organizations with critical OT networks should have basic real-time visibility of all assets connected to their industrial infrastructure. Having the ability to classify those assets by their role or function and visualize their communications on a network map is even more ideal. But what good is it to have all this great real-time data if you’re not set up to do anything actionable with it?
Having complete visibility across the enterprise, including OT networks, is one of the foundational requirements for building a solid cybersecurity program. But then I wonder, would I go buy a car without the tires? A key consideration when purchasing an OT asset visibility tool is whether you’ll be able to act on the data that is being presented. Of course, visibility alone may put a checkmark in the box for internal or compliance requirements, but it doesn’t make anything more secure.
So, what comes after visibility? You need to turn that data into actionable steps and selectively implement controls based on the information you have and the environment you’re dealing with. Having more accurate data at your fingertips allows better decisions to be made about which controls to implement. This is where the “bells and whistles” that come with an OT asset visibility solution come in very handy, such as crowdsourced asset classification, automated network maps, a CVE database, real-time threat detection, and bi-directional integrations with other tools.
By integrating this data into other security solutions in your organization, it provides the opportunity to not only improve your overall cybersecurity posture, but also increase the ROI of your existing tools. Some examples of how you could use OT asset data to achieve this include:
- Selectively implementing and automating proactive security controls through firewalls or switch access control lists based upon well-defined criteria, or just being notified when those criteria have been met.
- Enriching Configuration Management Database (CMDB) data by adding new OT devices or updating device attributes like a new firmware version.
- Automatically scanning a vendor’s laptop before it connects to the OT network to ensure it is free of malware and fully patched.
- When a high priority OT security or operational event is detected, automatically opening a service ticket in the ticketing system and assigning it to the appropriate group.
- Visually simulating network segmentation to create the right policies, and then implementing the controls after understanding the impact.
And what if you could leverage this same solution across the business network to implement even more security controls, such as automated vulnerability scanning, patching, VLAN changes, and others that are more appropriate for the business network? You get the idea. The possibilities are almost endless, but more importantly, having full OT asset visibility allows you to be proactive when protecting your organization and significantly increases the maturity of your cybersecurity program across the entire enterprise.
Don’t get me wrong; I’m not advocating putting all of these controls into your critical OT environment, but rather to put in selective controls, such as in your Level 3 and Level 3.5 zones, where it makes sense and isn’t going to be disruptive to your operations. This can help you achieve comprehensive, proactive security that can be applied in phases when and where it makes sense. Why would you buy that car without the tires again?
To learn more about how you can mature beyond OT asset visibility to build a proactive security program, download our OT Cybersecurity Playbook.