Articles & Blogs

Industrial control systems (ICSs) interact with and automate thousands of variables to control dangerous processes that commonly use high temperatures and volatile raw materials to produce the final output. The safety and reliability of these systems are paramount to meeting the industrial facility’s health, safety and environmental (HSE) objectives, securing efficient production and reaching the goal of no unscheduled outages.  
 
These systems were never designed to be cyber-secure and for decades, were considered air-gapped and unreachable by cyber attackers. That is no longer the reality. With the adoption of digital transformation technologies to increase efficiency and lower costs, industrial facilities are now connected to cyber and physical systems. Asset owners and operators are, therefore, operating a “connected plant” and know that their critical systems are vulnerable to cyber-attacks but are often unable to pinpoint where the greatest risk exists. With the continuous drip of successful attacks on critical infrastructure making headlines, risk management has become a common topic in boardrooms around the globe. This has increased pressure on security and operations teams to ensure that defenses are put in place. Should a successful attack occur, the consequences will be minimized to an acceptable level. 
 

The foundation to any operational technology (OT)/ICS cybersecurity program is a full, in-depth asset inventory, which must include all the details of what systems and endpoints are running in the industrial environment. You must be able to “see it” before it can be fully protected. As unique as control system logic can be across various sites, asset inventory comes in many different shapes and sizes. 
 
To effectively use asset inventory information throughout a cybersecurity program, knowing that a distributed control system (DCS) is communicating with a programmable logic controller (PLC), or a server is talking to a switch is not adequate to reduce risk to an acceptable level. This level of detail can be easily achieved by monitoring and analyzing the network traffic to build a skeleton inventory registry. This method provides a detection benefit but is also limited in that it can only provide cursory asset inventory information down to Level 2 of the Purdue Model and, therefore, does not achieve a full inventory. This method also cannot detect most endpoints and associated components at Level 1 and Level 0. This is in addition to “isolated” assets operating in a closed network that are still susceptible to attacks from witting or unwitting insider threats.  
 
What does an in-depth asset inventory look like?  
 
 
The technology must be able to provide detailed asset information, including the manufacturer, model, version and serial number for every piece of hardware, firmware and software, whether connected to the network or not, across the industrial control system environment. To reduce cybersecurity risk in an ICS environment, asset inventory information must encompass every DCS and controller, input/output (I/O) cards, communication modules and the version of the software/firmware loaded into each of these devices, as well as the same level of detail for PLCs, safety instrumented systems (SIS) and human-machine interfaces (HMIs), etc. The only method to achieve this level of visibility is to collect and analyze the native control system configuration files, which will enable you to confidently answer the important questions that are common in vulnerability management, asset lifecycle management and asset migration planning, including: 
 
▶ Do I have that asset? 
▶ How many are in the ICS environment? 
▶ Where are they? 
 
In Hexagon’s experience, working with customers around the globe, we have typically seen far more than 200 components per DCS, more than 45 for an SIS and more than 40 for PLCs. Additionally, for each computer, engineering workstation, operator station, etc., there may be considerably more than 450 inventory items. For refineries specifically, it’s common to identify more than 6,000 inventory endpoints that must be managed and protected from cyber threats.

If you are seeing less than the metrics above for your inventory, or do not have an automated method in place to capture this level of visibility, now is a great time to evaluate inventory capture methods for improving your OT security program in 2024.