Know Your System!

This article is part#1 of a series of articles in which we?share our knowledge and advice on the topic of industrial security.

“Know your system! You can’t secure what you don’t know”. This is the first axiom we normally hear when we start the?journey as Cyber Security professionals. It is also a required security control in most of the security standards and best practices such as NIST CSF, IEC 62443, ISO27000. This is also why we see an increasing focus on asset inventory and asset management functionality in the market today.?

But, will having an asset inventory really help you secure your systems? Sure, you will know what kind of assets constitute your system, often a combination of HMIs (Human-Machine Interfaces), PLCs (Programmable?Logic Controllers), and Computers, and if they are vulnerable to cyber threats, often presented in a list of single components.

Is an identified PLC with its pertaining vulnerability really important to your most valuable process? We can tell it is a PLC, but what function does it really have in one of your company’s processes? What impact can a potential exploitation of a vulnerability in this PLC have on your business objective? These are highly relevant questions that we need answered before we can prioritize mitigating measures. Looking at several industrial sites that have been impacted by malware in the last few years, there was no direct threat to the physical process. But due to uncertainty, the process was shut down to prevent the possibility of negative business impact. Could we have prevented this unnecessary halt of the production?

That depends on who we ask and what information is available. System operators may recognise a device based on an ip address or location. And they will instantly know the device’s function in a system that is enabling a given process. On the other hand, if? we ask security analysts tasked with securing the same systems, they won’t really know the device’s function or importance in the bigger picture. They will only know that it is a device and that it is vulnerable.

This is what we call the IT / OT (Information Technology/Operational Technology) divide. Two disciplines with different perspectives, but with a common goal and mission, wasting limited time and resources by not collaborating and not having the right tools to share critical information and knowledge in an efficient way.

Let's imagine that we have a system that shows not only what a device is (HMI or PLC), but also what process this device is a part of, and how important that process is for the company and company’s business goals. With that information in your pocket, would you be able to do a better job in securing devices you are responsible for?

Following the mindset of seeking more knowledge and visibility of systems, opens up for a whole new world of potential use-cases, that can vastly improve existing security procedures and processes that we in today's world are conducting in a suboptimal way.

Stay tuned for next articles!