As Forescout’s designated operational technology (OT) and industrial control system (ICS) road warrior, I get the fantastic opportunity to consult with the industrial community about their OT/ICS security pain points. Companies I deal with in transportation, chemical, oil & gas, manufacturing, power generation, mining and other industries aren’t slackers by any means. Many are household names, and their management is all for allocating funds toward “improving security.” What is often lacking, though, is the clear direction as to what “improving security” actually entails. In most cases, my recommendation is to look to a well-known security framework for guidance. One such framework I like to reference is the SANS Top 20 Critical Controls.
Which SANS Critical Control is most critical?
The SANS Top 20 Critical Controls defines 20 information security controls that an organization can implement to improve their cybersecurity posture. Critical Control number one is Hardware Asset Management (HWAM), and for good reason. Unless you have a clear understanding of every device that is present on your network, you can’t assess the effectiveness of any additional security controls that are introduced after that. When you think about the Software Asset Management (SWAM) control, any approach to solving it will vary from one hardware platform to another. When you think about the Configuration Management control, the approach for solving it will vary not only by hardware type, but by software type as well. The same is true for Vulnerability Management. This is absolutely a linear process.
What happens when we start skipping steps?
Assume you’re told that there is a new malware exploiting a critical vulnerability in Microsoft Windows. The concern is that if a system is infected with this malware, the corresponding network propagation could bring down the process control devices in the ICS network. A data call is established, and the team looks at their last inventory, which establishes that there are X number of Windows devices that need to be checked for the patch. The team identifies all inventoried devices, patches them in an emergency maintenance window, and you report that you are 100% patched. A few weeks goes by, and then it happens: the malware is propagating through the network and you have several manufacturing devices that keep dropping offline as a result. Nightmare scenario. The hunt team comes in and locates an additional set Windows devices that were not present in the inventory and have been infected with the malware. Turns out, that while you were reporting 100% compliance, that was only for the Windows devices that you actually knew about.
Situations like the one described above are not at all far-fetched, and the only way to get ahead of them is by having more visibility to every single device that is present on your network. In other words, fully embracing HWAM as the foundational element for which the remainder of your information security program is built upon.
HWAM is second-nature to Forescout
Forescout is solving for HWAM in OT/ICS environments today through integration with the network infrastructure, integration with existing inventory solutions, and a comprehensive set of both passive and active capabilities designed to learn the various endpoint attributes that are required to execute HWAM successfully; this is why Forescout CounterACT® is the foundation for many of my industrial customers’ information security programs. This ability to learn about assets in OT/ICS networks without the risks associated with other less flexible approaches is incredibly important to owners of operational technology systems. Once HWAM is in place, everything else can follow naturally—from Software Asset Management, to Configuration Management, to Vulnerability Management, on to the 16 additional controls layered on afterwards. All are important capabilities, but not without embracing HWAM first.