Dealing with OT asset monitoring and discovery to enhance cybersecurity across industrial, OT systems

OT asset monitoring and discovery plays a crucial role in safeguarding industrial systems and critical infrastructure from cyber threats and is increasingly gaining prominence across the cybersecurity fabric. It involves continuous tracking and identification of operational technology (OT) assets within a network, typically covering industrial control systems (ICS), sensors, actuators, and other devices that are vital for the functioning of industries like manufacturing, energy, and transportation.

By implementing OT asset monitoring and discovery, organizations can gain real-time visibility into their OT networks, detect unauthorized devices or changes, and respond promptly to potential security incidents. This proactive approach helps in preventing cyber-attacks, minimizing downtime, and ensuring operational continuity. Understanding the basics of OT asset monitoring and discovery can go a long way in appreciating its significance in the realm of cybersecurity. 

Industrial Cyber reached out to industry experts to evaluate the importance of OT asset monitoring and discovery in protecting industrial systems. Additionally, they explored the leading technologies that are propelling progress in OT asset monitoring.

Qiang Huang, head of product management of Palo Alto Networks’ IoT security product said that in the not-so-distant past, the physical world of operational technology, i.e. the OT systems used in operational environments, was separate from the digital world of enterprise applications on servers and storage systems with internet connectivity. 

“The adoption of connected OT devices, 5G technology, and migration to the cloud are all parts of digital transformation that many industrial organizations are pursuing to enhance worker safety, improve operational efficiency, and reduce costs,” Huang told Industrial Cyber. “However, without proper solutions to manage asset monitoring and discovery, organizations are putting themselves at extreme risk of being infiltrated by threat actors.”

He also pointed out that security solutions that bring and adapt zero trust principles for the unique needs of OT networks allow organizations to know and assess their OT threat surface with accurate device visibility.

“When thinking about the strategy behind safeguarding industrial systems, it all starts with identifying what you have to protect,” William Noto, vice president for industry principal at Claroty, told Industrial Cyber. “Asset discovery, and its subsequent monitoring, allows organizations to have full visibility into their operational technology (OT) environments, which makes defending against threat actors a much more seamless task – but the ease in protecting is only possible when every asset is accounted for – which, according to a recent survey, on average 40% of OT assets currently are not.” 

Noto added that technologies and solutions that identify assets, map the network to show how everything is connected, report risk levels, and detect risks in real time are key to driving advancements in OT asset monitoring. “Because so many OT devices are connected to the network, it is essential that managers have a concrete understanding of where and how each asset works together. This knowledge allows internal teams to quickly take action to secure assets and prevent negative consequences before it’s too late.”

Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon Asset Lifecycle Intelligence, told Industrial Cyber that OT asset monitoring and discovery are critical components to an overall industrial control system cyber security strategy.  

“Monitoring is generally done by inspecting network traffic and is useful for both detecting behaviors that indicate a cyber security attack and providing a high-level asset inventory of devices in the control system network,” according to Carrigan. “However, monitoring network traffic alone is insufficient to obtain a complete inventory.” 

He added that to compile a holistic inventory that includes all hardware, software, and firmware (along with the relevant manufacturer, model, serial number, and version), companies are investing in technology that can compile this information from system backup files that are a much richer source of inventory data compared to network traffic alone.

The executives address how organizations tackle the challenges of discovering and monitoring diverse OT assets. They also highlight success stories where effective OT asset monitoring has prevented cyber threats.

“Comprehensive visibility is a key element to all cybersecurity frameworks; you need to understand what needs to be secured and managed before you can align on appropriate security policy across all IT, OT, and IIoT assets,” according to Huang. “Today, organizations fail to properly discover and monitor these assets or fail in ad hoc attempts to do so. There are solutions available today that use AI and ML to quickly and accurately discover all OT assets in real-time and understand their behavior patterns and risk exposure, passively and non-intrusively without impacting OT systems.” 

Huang added that this is the first step to being able to truly secure an environment and ultimately derive more value from technical investments by having an accurate inventory of all assets in a particular area of operation, lessening the strain on business leaders.

Organizations have to start by implementing the right tools to help them, Noto said. “You need a platform that gives you comprehensive visibility into all of these assets. Between managing IT and OT security, teams don’t have time to discover, catalog, and manage each individual asset in their environment.” 

“Historically, engineering and operations teams’ security efforts have been siloed, which leads to gaps in protection. The process team doesn’t know about OT, and the security team doesn’t know about the process,” according to Noto. “Breaking down these siloes to streamline protection is a top priority. Motivating teams to participate starts with the why.” 

He added that “we have to link the importance of security to the work of each member of the organization. This brings major benefits, as it helps all teams feel connected to the success of maintaining a strong cybersecurity posture for both IT and OT environments.”

“The companies that are more mature in their OT cybersecurity strategy are using network monitoring technology combined with configuration backup collection and processing to collect a holistic inventory of their OT assets,” Carrigan noted. “This holistic inventory has benefits beyond just OT cybersecurity and is used by the operations team to improve system reliability.”  

As an example, Carrigan pointed to the fact that configuration backups can collect information required to identify assets that are approaching the end of life and support, allowing operators to plan upgrades accordingly. “Additionally, the configuration backups can be used to identify control strategy changes that can or have impacted operations.”

The executives analyze the evolution of OT asset monitoring in response to emerging technologies. Additionally, they explore the potential dangers associated with neglecting or insufficiently monitoring OT assets within critical infrastructure sectors.

“The OT asset data captured is used to identify and prioritize risks. Once risks are identified, organizations can mitigate them with active defenses and system hardening,” Huang mentioned. “With comprehensive data, ‘regular’ device patterns can be identified, enabling AI to be trained to detect and respond to abnormalities.” 

Huang said that by establishing a baseline of regular activity, internal and external communications and alerts in case of deviation from normal process behavior can be enabled, allowing the identification of real-time malicious activities and anomalies within the system. 

“With strong asset visibility, the network security professionals can craft proper segmentation and controls to prevent potential incidents,” according to Huang. “While asset management does not thwart incidents directly, one of the missed victories of the Colonial Pipeline event was that the pipeline operation itself was never at risk, proper segmentation was present. They knew the boundaries of their critical assets and protected them accordingly.”

Noto pointed out that OT environments are teeming with asset modifications and changes that, if not handled carefully, can have dire impacts on operations. “Unmonitored events such as online edits, configuration tweaks, or mode changes, harbor the potential to disrupt productivity and inflict major financial repercussions.” 

He added that OT asset data, including information on asset type, protocol usage, IP address, device manufacturer, and firmware version, is needed to respond to cyber threats. “This type of data can be used to mitigate risks to industrial enterprises as it helps operators understand where the threat is taking place and what risks it poses.”

For example, Noto said that OT asset data can be used for network segmentation. “When the security team knows which assets sit in what networks, they can pinpoint threats and quickly shut them down before they spread across the organization. Full visibility and asset profiling also help to understand exposure to cyber risk.” 

Noto added that visibility allows OT operators to quickly determine if suspicious activity is happening on any of their industrial networks or devices – even in aging systems that utilize proprietary protocols. “They can monitor for threats and identify risks due to unpatched vulnerabilities in high-priority assets or misconfigurations, allowing them to act faster to mitigate risk and ensure continued operations of critical processes.”

OT asset data and vulnerability analysis, combined with operational risk information, is the best way to identify and mitigate OT cybersecurity risk, according to Carrigan.  

“Every control system network contains known vulnerabilities, and all of these cannot be removed due to compatibility and operational issues. What is important is to quantify the risk associated with these vulnerabilities and to develop a strategy to mitigate those, that if compromised, will have the largest impact on the business,” Carrigan said. “Additionally, having a robust configuration backup strategy that includes the ability to detect changes to the control system strategy is crucial to responding to a cyber-attack.” 

Carrigan highlighted that all companies should assume they are a target and that infiltration is inevitable. “While they implement technology to detect these incidents, they must also have a strategy to minimize the impact and recover operations within an acceptable time period.”

The executives discuss the impact of regulations and compliance standards on the formulation of OT asset monitoring strategies. They also evaluate the significance of collaboration in creating effective OT asset monitoring solutions.

“Regulation and compliance standards can positively and potentially negatively impact industrial systems. From a positive perspective, they drive best practices with some set of metrics and desired outcomes,” Huang said. “Conversely, these standards have been misapplied at times and drive adherence goals above security goals. With a focus centered on securing the cyber-physical system, strong knowledge of OT assets will result in informed policy and enforcement.” 

Huang added that visibility without the ability to enforce policy is at best a hollow victory, and at worst, a potential ‘mission accomplished’ miss. “It is important to be driven towards a security goal with regulatory and compliance guidance and justifications, but inevitably true security is the ultimate goal.”

Noto said that government-level regulations and standards such as CDM DEFEND, NERC CIP, NIST CSF, and U.S. NDAA Section 1505 currently promote or require varying levels of asset monitoring strategies across a range of industries, which is causing organizations to take action toward proactive asset protection. 

“The TSA directives are a great example of how government regulations will impact OT security. The original directive addressed pipeline owners and operators, released in 2021 and revised in 2023, and TSA went on to add rail transportation and aviation,” Noto pointed out. “These directives are focused on performance-based measures to boost the cyber resilience of U.S. critical infrastructure as a result of persistent transportation cyber threats.” 

He added that the TSA took emergency action by requiring the development of an implementation plan that describes the measures transportation providers are or will be taking to strengthen cybersecurity resilience and prevent operational disruption and infrastructure degradation.

“While governments have historically shied away from being too prescriptive in cybersecurity regulations, policymakers have since made it clear that free market forces alone will not adequately mitigate the risks at hand,” according to Noto. “We’ve seen further government regulation regarding CPS security come to fruition already in 2024 with the new HPH CPGs. Asset inventory is now on the ‘enhanced goal’ list to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.”

Carrigan said that most OT cybersecurity standards and regulations infer the need to both monitor OT assets as well as collect a system inventory. “What is lacking in these standards today is a consistent definition of what comprises a good inventory,” he added. 

For example, Carrigan noted that it is not sufficient to know that a PLC is located on the OT network. “In order to have a complete inventory of a PLC, you need to know all of the hardware, software, and firmware installed on that PLC. When added together a typical PLC will have on average between 30 and 75 items of inventory (processor, input/out cards, communication modules, software, firmware, etc.).” 

As the regulatory environment matures, they will likely become more specific on what information needs to be included in an OT asset inventory, Carrigan concluded.