Rising significance of OT asset visibility in cybersecurity resilience across critical infrastructure

Critical infrastructure organizations face an increasing cybersecurity threat and attack landscape. To address this, they need to establish and manage a detailed log of industrial control systems (ICS) devices for OT asset visibility. This involves assessing and processing organizational assets, specifications, software versions, network roles, and operational data. It is crucial for risk management and maintaining reliable operations in industrial settings. Creating and maintaining these systems enables organizations to identify potential vulnerabilities and threats, enabling careful planning, a combination of physical and network-based strategies, and robust security protocols. 

Efficient maintenance of asset inventories leads to better understanding and more focused risk assessments. Understanding technology communications helps with network segmentation efforts and other projects. Continuous monitoring is enabled by logs from automated visibility solutions. By understanding the specific role of each device, organizations can strategically allocate security resources, prioritizing protection for critical assets. This enhances the overall safety and security of the OT (operational technology) environment and ICS. 

Comprehensive asset visibility is crucial for enhancing cybersecurity and ensuring the reliability of industrial systems in OT environments. It is necessary due to the interconnected nature of industrial processes in critical infrastructure such as power plants and manufacturing facilities. Understanding the inventory of devices and systems enables organizations to detect vulnerabilities, monitor network activities, and respond promptly to potential threats. Effective collaboration between IT and OT on organizational asset visibility reduces security risks and improves threat detection.

Leveraging OT asset visibility is a vital step in the organization’s cybersecurity program, enabling comprehensive risk assessment, efficient threat detection, and informed cybersecurity investments. Ongoing collaboration between IT and OT ensures effective security measures and reduces risks to stakeholders. In essence, OT asset visibility is a foundational element in the protection and optimization of industrial operations.

Industrial Cyber reached out to cybersecurity experts to assess the significance of asset visibility in OT environments and also delved into the challenges that organizations encounter when striving to maintain asset visibility. Furthermore, the experts explore how asset visibility contributes to bolstering cybersecurity resilience in critical infrastructure sectors.

Asset visibility plays a crucial role in bolstering cybersecurity resilience within critical infrastructure sectors, Jonathon Gordon, directing analyst at TP Research, told Industrial Cyber. “The asset inventory, or ‘register,’ in OT environments serves as a central source of truth. It provides in-depth insights beneficial to various stakeholders, including those concentrating on risk management and vulnerability mapping. This inventory is vital for linking potential vulnerabilities to specific assets, thereby becoming a fundamental element in effective vulnerability management.”

Nevertheless, there are significant challenges to overcome, Gordon flagged, adding that these include difficulties in tracking non-communicative devices, the complexities present in multi-vendor and multi-site environments, and the need to safeguard the asset inventory against unauthorized access.

“Maintaining a well-updated asset inventory is key to rapid incident detection and response. It enables the swift identification of compromised assets, allowing for a targeted and efficient reaction,” according to Gordon. “Continuously refreshing the asset inventory to mirror changes in the environment is essential for operational efficiency and thorough vulnerability management.” 

Anand Oswal, senior vice president of product for network security at Palo Alto Networks told Industrial Cyber that asset visibility is vital for cybersecurity resilience in OT environments, particularly within critical infrastructure. “It allows organizations to monitor and manage assets, identifying vulnerabilities and potential threats. Challenges arise due to legacy equipment, lack of standardized protocols, and complex operating environments, making comprehensive visibility difficult. Inadequate visibility impedes threat detection, response, and overall cybersecurity posture.” 

Oswal added that enhanced asset visibility addresses the compliance gap, proactive vulnerability management, streamlined incident response, and policy enforcement, and helps mitigate cyberattack risks in critical infrastructure sectors. “A well-maintained asset visibility framework is essential for ensuring the kind of cybersecurity posture and resilience that critical systems and infrastructure require.”

An accurate inventory of connected and isolated assets is vital to improve security and process safety risk, Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon Asset Lifecycle Intelligence, told Industrial Cyber. 

“Industrial operators must ensure that assets used in OT are verified, documented, secured and properly maintained,” according to Carrigan. “An audit-based approach will never get you to this level of visibility. It requires software that can automate the data-gathering process and serve it in a way that is digestible to users. OT environments are often dynamic, with assets regularly added, moved, or decommissioned. Staying on top of the frequent changes becomes challenging without a robust asset management process.”

Carrigan added that an in-depth OT asset inventory becomes the foundation for vulnerability and risk management as it enables the establishment of security baselines, managing change, automating closed-loop patch management, meeting internal and external compliance requirements, investigating incidents, and understanding potential attack vectors.

“Asset visibility enables organizations to understand and manage their critical assets effectively. Assets such as industrial control systems (ICS) devices play a critical role in the functioning of critical infrastructures,” Carlos Buenaño, CTO for OT at Armis, told Industrial Cyber. “Having visibility of these assets allows organizations to monitor their health, performance, and security status, ensuring the continuity and reliability of their operations.” 

Buenaño pointed out that asset visibility enhances cybersecurity resilience in critical infrastructure sectors by providing real-time insight into the security posture of critical assets, enabling organizations to quickly detect and respond to any anomalies or malicious activities. It also allows for better asset management, ensuring that security patches and updates are applied in a timely and consistent manner, reducing the risk of potential vulnerabilities being exploited, he added.

The experts analyze how advancements in technology, such as IoT and connected devices, have impacted the complexity of achieving comprehensive asset visibility in OT environments. They also look into how the integration of AI and machine learning contributes to better asset visibility and proactive threat detection in industrial settings. 

Gordon outlined that AI and machine learning are revolutionizing the way industrial enterprises manage cybersecurity. “They offer an automated approach to threat management, providing swift updates and responses to new vulnerabilities and threats. AI and machine learning enables detailed asset discovery and classification, tracking new devices and changes in operational activities in real time. They are particularly adept at detecting vulnerabilities and risks, using extensive databases to monitor assets and policies, thus offering rapid insights into potential security gaps,” he added.

“Furthermore, these technologies excel in risk and exposure management, assessing and quantifying the severity of risks associated with each connected asset,” according to Gordon. “They also automate workflows for incident response, utilizing risk scores to facilitate decision-making and compliance adjustments. Another key contribution is the enhancement of IoT security through passive discovery techniques, which ensures real-time identification and robust protection for OT/IIoT devices.”

Gordon added that the comprehensive approach to asset visibility and threat detection not only boosts operational efficiency but also strengthens the cybersecurity framework in these increasingly dynamic industrial environments.

“Advancements in technology, notably IoT and connected devices, have heightened the complexity of achieving comprehensive asset visibility in OT environments,” Oswal said. “The sheer volume and diversity of interconnected devices make monitoring challenging. Legacy systems that lack modern security features compound the issue.”  

Oswal added that the integration of AI and machine learning addresses this challenge by enabling sophisticated analytics to process vast amounts of data. “These technologies can identify communication patterns, anomalies, and potential threats, enhancing asset visibility and enabling proactive threat detection in industrial settings. AI and machine learning systems adapt to evolving cyber threats, providing a dynamic defense mechanism crucial for securing OT environments amidst the increase in assets introduced by IoT and connected devices.”

According to Carrigan, many industrial facilities are challenged with inventorying the assets that are critical to the industrial process. Adding in the additional complexity of IoT devices with differing communication protocols, the increase in data volume and interoperability challenges makes having a solid asset management strategy that much more important.

“AI is not a technology currently used for collecting a holistic asset inventory. Assembling an asset inventory is a ‘deterministic’ exercise, leveraging technology to discover the assets in an OT environment,” according to Carrigan. “AI algorithms are typically “inferential,” creating predictions based upon processing data against an existing model – it is unlikely that AI will become the technology of choice for collecting inventory. Where AI algorithms and machine learning shine in establishing baseline behavior and detecting anomalies from the baseline in real-time.”

Widespread implementation of IoT and connected devices has greatly increased the complexity of achieving comprehensive asset visibility in OT environments, Buenaño said. “With more devices being interconnected and collecting vast amounts of data, it has become increasingly challenging to track and monitor all assets in industrial settings.” 

Buenaño added that the integration of AI and machine learning has been instrumental in addressing these challenges and improving asset visibility in OT environments. “By utilizing these advanced technologies, organizations can analyze and interpret vast amounts of data from different devices and systems to identify patterns and anomalies. This allows for proactive threat detection and mitigation, as any abnormalities can be quickly detected and addressed before they cause significant damage.”

The executives delve into the crucial considerations that organizations must address when implementing and managing asset visibility solutions in their OT ecosystems. Additionally, they analyze the strategies and advanced technologies that OT environments employ to enhance asset visibility. They also evaluate the effectiveness of these strategies and technologies in addressing the ever-evolving cyber threats.

Gordon said that the “update-to-date asset inventory is essential for identifying software and hardware vulnerabilities, requiring regular updates to reflect environmental changes and maintain operational efficiency. Continuous vulnerability monitoring is vital to dynamically adapt to new threats, integrating OT asset management with overall security strategies for unified protection. This involves assessing and prioritizing vulnerabilities based on their impact on operational safety.”

“OT environment strategies address challenges of legacy systems and proprietary protocols, requiring tailored discovery approaches due to network segmentation,” according to Gordon. “Adaptive strategies and frequent updates in vulnerability management are necessary to effectively respond to the evolving cybersecurity landscape. Remember, just as vulnerabilities, threats, and malicious actors are constantly evolving, so too should your approach.”

Oswal said that customers think about a few key considerations for gaining comprehensive visibility. “First they are thinking through and respecting their operational constraints to avoid potential disruptions from their asset visibility solutions in OT ecosystems. Maintaining uptime is critical. Second, they are looking for solutions that understand OT. Manufacturers need tools that truly speak the language of OT, and that can combine machine learning with crowdsourced telemetry to identify the company’s IT and OT assets, apps, and users.”  

“Third, we see many companies looking for a comprehensive solution that seamlessly integrates with their broader enterprise visibility and security architecture, ensuring a census view of their entire estate,” Oswal added. “Finally, the leading customers we see are thinking beyond visibility and are including a plan for continuous monitoring. Given the dynamic and increasing connectivity of OT to IT and the cloud, companies need to keep ongoing monitoring to detect anomalies and threats.”

He said that with these best practices, manufacturers can better position themselves with comprehensive visibility that can defend against evolving cyber threats.

Carrigan said that the definition of a ‘good’ OT asset inventory is not universally defined. “A complete OT asset inventory must include all Level 2, Level 1, and Level 0 OT assets. These are the devices and sensors that connect to process equipment that moves devices and molecules, which ensure safe and reliable production. To get to this level of visibility, deriving the inventory using configuration files is the most robust and safe approach,” he added.

He recommended a couple of strategies, including gaining a complete asset inventory of OT and IT endpoints, particularly at Levels 0 to 3 of the Purdue Model; baseline the ‘known good’ configuration of critical assets and understanding the data movement through the network; identify and assess vulnerabilities in assets and endpoints; utilize forensic analysis of configuration changes to enable incident responders to fully understand the composition of an incident to reduce mean time to recover (MTTR); and improve business continuity by having a complete, and trusted, backup and restore point. 

“One of the key considerations is the balance of security and operational efficiency. Organizations must ensure that their OT assets are visible and accessible for monitoring and maintenance purposes while also protected from cyber threats,” Buenaño detailed. “This requires a comprehensive understanding of their OT assets, including their location, vulnerabilities, and connections to other systems. To improve asset visibility in OT environments, organizations are employing strategies such as network segmentation, network monitoring, and asset inventory management systems. These help to limit the attack surface and detect any unauthorized or malicious activity.”

Additionally, advanced technologies such as ICS firewalls and anomaly detection systems are being used to enhance asset visibility in OT systems, according to Buenaño. “These technologies use machine learning and AI to continuously monitor and analyze network traffic, allowing for faster detection and response to evolving cyber threats. Organizations must regularly update and test their asset visibility solutions to ensure they keep pace with these changes.”

In light of increasing cyber threats, the executives evaluate how regulatory bodies and industry standards are evolving to address the importance of asset visibility in safeguarding critical infrastructure. They also list the key factors that they expect will play a key role when it comes to asset visibility in 2024. 

“Asset discovery and vulnerability management are increasingly becoming driven by AI and machine learning, evolving to match the capabilities of attackers,” according to Gordon. “A notable advancement will be the application of AI beyond just handling vast amounts of data; it will be increasingly used to facilitate more informed and rapid decision-making. This development is crucial in addressing the shortage of skilled industrial cybersecurity professionals.”

Regulatory authorities are placing greater emphasis on the security-by-design principle, a forward-thinking strategy that incorporates security elements from the initial design phase of products and systems, according to Gordon. This approach is increasingly vital in an era marked by the growing sophistication and prevalence of cyber threats, calling for a more robust and proactive cybersecurity methodology. Integrating security features from the beginning significantly lowers the risk of vulnerabilities and cyber-attacks, improving upon the traditional method of treating security as an afterthought.

Consequently, Gordon added that “we can expect the introduction of more stringent regulations in key sectors. These new regulations are likely to mandate in-depth risk assessments and the incorporation of secure development practices from the initial stages of product and system creation.”

Cybersecurity incidents involving critical infrastructure can have significant consequences: financially, operationally, reputationally, and even to human safety, Oswal assesses. “At the federal level, we’ve seen an increased focus on securing these OT environments, and this is playing out through a number of new and evolving guidelines and compliance frameworks. ISA/IEC-62443 and NIST SP 800-82 are two frameworks that were developed for manufacturers to adopt best practices in cyber security. An increasing number of industrial organizations are adhering to these directives to understand security weaknesses.”   

In 2024, he added that “we anticipate the creation of more specific standards focused on OT security that will prompt more organizations to focus on building comprehensive asset visibility.”

Carrigan expects more emphasis on mandatory reporting like the U.S. Security and Exchange Commission’s ruling on material incident reporting requirements. “To effectively adhere to this ruling will require comprehensive asset visibility and the security measures in place.”

“There will be a greater focus on OT Cybersecurity and Asset Protection. Cyber threats will continue to evolve and grow in sophistication with malware written specifically to attack OT assets,” according to Carrigan. “Asset visibility will be a critical component to ensure the correct security measures are in place and enable organizations to identify, evaluate and prioritize risk more effectively.”

In Europe, for example, the cybersecurity landscape is poised for a drastic change with the implementation of the NIS2, Buenaño pointed out. “This directive aims to improve the overall cybersecurity and resilience to prevent and respond to cyber threats and incidents. It requires member states to establish a national cybersecurity strategy, designates national authorities and a Computer Security Incident Response Team (CSIRT) to oversee and enforce the regulation, and create a cooperation network among EU member states to exchange information and share best practices. The regulation also imposes security measures and incident reporting requirements for relevant organizations and requires them to have appropriate risk management practices in place,” he added.

Buenaño concluded that on a global scale, “we’ll see a shift by critical infrastructure organizations to adopt cloud-based cybersecurity solutions that are enhanced by AI. In 2024, as the security benefits of cloud-based solutions become increasingly evident for all industries and regulations adapt, we foresee a shift to the cloud, bringing more flexible and scalable cybersecurity measures to critical infrastructure.”