Efficient Risk Reduction: Asset Inventory Often Not In My Top Ten
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
I’m not anti-asset inventory. It’s a key part of asset management and maintenance without regard to reducing OT cyber risk. In fact I’d be more amenable to Operations prioritizing establishing and maintaining an asset inventory than OT Security.
At the right point in your OT security program it is the right thing to spend your resources on. Not because an asset inventory will reduce risk. Rather because it will be necessary for other security controls that will reduce risk.
The messaging and priority placed on establishing an OT asset inventory has been wildly successful. Over and over I’ve talked with asset owners who are just beginning their OT security program and priority 1 is document the asset inventory, typically via the purchase of one of the OT detection products.
Even with PLC’s and controllers directly connected to the enterprise network, any employee can access the PLC’s on any port, they believe they should purchase one of these asset inventory tools and take the many months to establish an asset inventory. Crazy. I’ve helped convince some to change priorities and in other cases not. They felt buying the product would satisfy management for a period of time.
You should evaluate where you place your OT security resources on an efficient risk reduction criteria, whether you are assessing your own system or hiring a third party. Where will you achieve the most risk reduction for the next hour or dollar spent? Remember to consider both likelihood and consequence reduction actions.
An efficient risk reduction criteria pushes asset inventory outside of most top ten lists for those beginning or in the early stages of their OT security program.
领英推荐
Don’t I need an asset inventory for patching? Not for the most important security patching. The prioritized patching of the small number, hopefully, of cyber assets accessible from outside the OT zones.
In most cases I’d even prioritize the detection and incident response / forensics capability of the tools from Armis, Claroty, Dragos, Nozomi et al over their use for asset inventory. Taken a step further the efficient risk reduction ordering of benefits of these products are:
I’m guessing many disagree with this based on the popularity of the asset inventory first movement in OT security. If this is you, perform the exercise. Write down your likelihood and consequence reduction options. Keep it simple. Rate each as high, medium or low in resources and risk reduction. Then sort the list from low resource / high risk reduction to high resource / low risk reduction. Then, start with the items at the top of the list.
The great news is if you are early in your OT security program you will get some massive risk reduction at a very low cost.
FBCS MIET - Interim CISO / Board advisor on Resilience / Cybersecurity Consultant
5 个月I'm fairly 'hard-over' about ruthless OT Cybersecurity prioritisation. Let's start with what happens if there is a successful cyber attack TODAY....So, Prevention has failed (we can come back to that later)....And so has Detection (all those blinking black boxes that you sold to your Exec as the 'silver bullet' have turned into more of a lead bucket)...What are you actually left with: the need to Respond and Recover (Contain, Disconnect, Revert to Manual, Eradicate, Recover, Switch to Backup, Hot-start, Warm-start, Cold-start, Rebuild etc etc)... Misguided advice that advocates anything (eg Risk Assessment, Detection tooling etc etc) before off-line backups of code and data plus a properly developed BCP / CIRP / DRP, and a team at Gold+Silver+Bronze levels that is properly trained, practised and tested in actually doing this response and recovery would be a derogation of duty for any competent CISO....period! If you haven't got a decent asset inventory then you are going to be floundering in the dark from the outset.
Co-Founder, CTO | OTORIO | OT exposure management
5 个月Dale Peterson, I agree with your statement that “you are not getting risk reduction by having an asset inventory. It is a foundation that allows other controls.” These controls, like better segmentation and ensuring EDR on all endpoints, are what drive risk down. Basic security hygiene, such as changing default passwords, requires visibility. Visibility also drives awareness. I’ve observed that customers often lack the “evidence” needed to support discussions and decisions until they see their assets and gaps clearly. One recent customer even used this data to negotiate better security with vendors and system integrators. So, while I agree with your analysis, I believe visibility is crucial. We can debate what level of visibility is sufficient, depending on the company’s key mission metrics.
CISSP | CRISC | OSCE3 & OSCP | GaTech Masters Student | Threat and Vulnerability Management | Pentester | Creator of Cybersecurity Card Game (Defend the Breach) | Vulnhub, ISACA and ISC2 Contributor | Mentor
5 个月Dale Peterson this is indeed an interesting perspective. To be fair it sounds more like systemic failures in the OT design and build phase since many of these systems would require certification (e.g. safety, functional), which would mandate an inventory list to begin with. Having said that, since the priority is indeed risk reduction, to what extent would you claim that a robust threat model, front-loaded, would be more effective in identifying key areas of risk to focus on, than conventional OT security dogma?
Cyber-Physical Risk Expert | Founder Cyber-Physical Risk Academy | Consultant, Speaker, Trainer, Publisher | Operational Technology | Masterclasses | Training | 45+ years in process automation. OT security focus.
5 个月For protecting something, it makes sense to start with a risk assessment. A risk assessment helps identify potential threats, vulnerabilities, and the consequences of various risks. This process helps in prioritizing and implementing effective protective measures. By understanding the specific risks, you can allocate resources efficiently, develop targeted strategies, and mitigate potential harm more effectively. Without a risk assessment, protective efforts may be unfocused and less effective. Does a risk assessment require an inventory and at what level of granularity? I believe this depends on the type of assessment (quantitative/qualitative) and approach (top-down / bottom-up). Where many choose the topdown qualitative approach an accurate inventory is not required. The level of risk accuracy is not more than a subjective guess anyway. In more critical installations, requiring more accurate risk analysis, a good inventory is a must. Cutting corners is acceptable when consequence is low, because cyber risk translates into process safety risks. And history has learned that cutting corners in process safety is a bad practice. But ofcourse we can also skip risk assessment and base our protection on what we think is enough
Senior Intelligence Coordinator | Former U.S. Diplomat | Former FBI SIA
5 个月I think it took off in popularity as a rhetorical question masquerading as a binary security indicator: “How can you secure your systems if you don’t even know what you have?!?!” People have probably heard that enough that it ends up seeming like the universal prerequisite for managing OT risk. Add in a sales pitch to meet that need, and it’s strong stuff.