Step 2 Addressing OT Cyber Risk: Asset Inventory & Dependencies
Managing OT Cyber risk takes on different approaches and expertise depending on the potential consequences of compromise to a particular system. This is why it is important to delve into the distinction and importance of an engineering-centric approach to managing OT cyber risk.
Moments after the discovery of a ransomware attack on the IT network of the North American Colonial Pipeline, company management responded with shutting down all physical operations out of “an abundance of caution”. As a result of this shutdown, Colonial lost 6 days of operation at 2.5 million barrels per day and paid nearly $5 million in ransom payment. The precautionary shutting down of operations reflected a degree of uncertainty in the cybersecurity controls in place at the time protecting the OT network from cyber attacks propagating through the IT network. The US Transportation Security Administration (TSA) responded by releasing a series of security directives following this event, with a common thread repeated through the series of directives: implement a cyber defense strong enough that, if the IT network is compromised, the OT network can continue operating at necessary capacity. The Colonial attack represents the present-day OT cyber risk scenario that industrial enterprises can no longer avoid; OT networks must be sufficiently protected from attacks arriving via more-exposed or less-consequential networks.
Designing a strong defensive posture to minimize OT cyber risk is a multi-step process, and one of the first places to start is by taking a thorough inventory, not only of industrial and cyber assets, but also of data flows and interdependencies. Physical assets and operations are what we need to protect, but data flows can be the means through which cyber sabotage attacks travel, and interdependencies must be discovered and understood as they complicate the task of how and what we need to protect. Let’s look at each of these in more detail.
“The precautionary shutting down of operations reflected a degree of uncertainty in the cybersecurity controls in place at the time protecting the OT network.”
Inventory Network Assets and Associated Vulnerabilities
In our previous article on step 1 of an OT Cyber Risk Management plan we identified the who; assigning responsibility for OT cyber risk management. Step 2 is identifying the what. This step in managing OT cyber risk is creating and maintaining an accurate asset inventory: the most accurate representation of the physical network. This exercise involves recording both assets and vulnerabilities/attack opportunities. Assets help us understand criticality and vulnerabilities help us understand exposure. An asset assessment accomplishes the goal of considering the worst-case consequences of compromise of each asset and subsequently assigning it a level of criticality. Once criticality is determined, it informs the strength of a security program needed for a system or network.
Taking an asset inventory can be manual (very labor intensive) or automatic. Automatic asset assessments are either passive “sniffing” or active “probing”. Each option has advantages and disadvantages and the type we choose will depend on staffing requirements, budget and the geographical expanse of our industrial sites. Documenting an entire operations network can be challenging, as industrial assets may not stand up well to network and device scanning. After all assets (both hardware and software), applications, endpoints and user accounts and any associated documentation such as vendor information and serial numbers have been recorded and inventoried, they should be grouped and organized in a manner that makes sense from a network architecture, functionality, and criticality perspective. The Purdue Model can serve as a useful starting point.
In addition to the inventory of physical hardware and software assets, taking an inventory of software vulnerabilities and exploitative opportunities helps us assess exposure. Software vulnerabilities can introduce compromise to the information being processed, stored, or transmitted by OT systems. Stolen credentials, weak permissions, weak passwords and other security configuration weaknesses can also be exploited. Assessing exposure to attacks tells us what opportunities attackers have to exploit.
Inventory Data Flows
In addition, if an attacker wants to mis-operate OT systems, he has to connect to those systems to mis-operatre them. Connectivity is how cybersabotage attacks reach targets – all data flows are potential attack vectors. Data flows include both physically carrying the attack information into the site (offline attacks) and exploiting digital connections through remote means (online attacks). Taking an inventory of data flows provides an understanding of how cyber-sabotage attack information can reach the systems we need to protect. The only way OT networks can experience cyber sabotage is for attack information to enter the system, somehow.
A useful way to document data flow inventories is to develop (and maintain) a network data flow diagram. The goal is not to document every data flow in a complex system – such a diagram would be complex beyond understanding. Major internal data flows should be documented or illustrated, but all online and offline data flows through physical or cyber perimeters to less-critical networks must be documented. It is data flows that permit attacks to cross criticality boundaries, such as the IT/OT network perimeter, that most urgently must be documented and understood.
The diagram should indicate bidirectional and unidirectional data flows, inputs/outputs, data storage, and again, data flows through which information and potential attack information from outside the OT network can pass to the inside. Many asset inventory solutions have diagram generating capabilities that can assist in changes to the network environment across time. This will prove advantageous both in designing and implementing appropriate cyber protections as well as in the case of incident response and recovery efforts following an attack.
Inventory Data Flows
Next, the OT cyber risk team must get a handle on network and other dependencies. For the purposes of assessing attack exposure, we must know about all the ways OT assets and physical operations depend on services from more-exposed IT, Internet or cloud networks. More difficult to determine, but just as essential, is that we must understand those tricky dependencies that exist even without communications between IT and OT assets and networks, such as procedural or logistical dependencies. These dependencies are important because IT assets are low hanging fruit for attackers. Even when OT systems or physical operations are the ultimate target of an attack, most OT network attacks begin with compromising IT systems. IT/OT interconnections and dependencies must be identified, protected and the data flow controlled to properly manage OT cyber risk.
For example, Active Directory systems are a common data flow dependency. In many organizations, OT systems need to connect to IT Active Directory servers to enable users to log in. In this scenario, if OT systems cannot connect to Active Directory servers residing in the IT network, OT is crippled. Subtler dependencies can exist; not all dependencies are reflected in information flows.
For example, during the NotPetya cyber attack, Maersk, the world’s largest container shipping company, suffered an operations outage because of a procedural dependency that was not evident in IT/OT information flows. The Notpetya malware crippled the database on the IT network that instructed truck drivers where to transport containers that were unloaded from ships in port. Since the tracking system was down, the drivers were unable to deliver the containers. Sometimes dependencies are complicated and the best way to investigate them is to assemble all stakeholders together to ask and understand – if all IT systems were shut down, could physical operations continue, and if not, why not?
Dependencies on IT systems are one reason that so many ransomware attacks result in outages of OT networks. Ransomware attacks impair IT networks more often than they do OT systems, and if OT networks have multiple dependencies with IT systems that ransomware has impaired, physical operations cannot continue. While it can be very difficult to eliminate all OT dependencies on IT systems, we cannot simply ignore any dependencies that must remain in place. Instead, we must recognize that IT systems which are essential to continued physical operations are in fact reliability-critical components. These reliability-critical systems may be hosted on the IT network instead of the OT network but must be managed and secured in many of the same ways that OT systems are managed and secured.
Wrapping it up
Documenting an asset inventory is a first step in the direction of determining the criticality of OT assets and contributes to understanding of exposure. Data flow inventory, especially of data flows permitting external info into OT networks document exposures (or attack vectors) that need to be eliminated or controlled. Dependencies expose OT systems to external attacks – not because the attacks reach OT systems, but because OT needs to shut down if IT systems that OT depends upon are crippled. The next step in an OT cyber risk assessment, assigning asset criticality, will be much more streamlined if the asset inventory step is carried out successfully.
Written by Courtney Schneider
Stay up to date
Subscribe to our blog and receive insights straight to your inbox