Skip to main content

ICS Asset Visibility: I Came, I Saw, I Conquered

Remember the saying "I came, I saw and I conquered?" I'm referencing Julius Caesar because it perfectly describes a hacker's method. The more a hacker understands a system, the quicker and more efficiently they can exploit it and potentially cause significant damage 

A notable example of a sophisticated cyber-attack is the infamous 'Stuxnet.' This computer worm targeted machines running Microsoft Windows systems and networks, specifically seeking out Siemens Step7 software. Without prior knowledge of their systems, conducting such an attack would've been impossible. 

Therefore, to protect your systems from similar assaults, you should think like a hacker. Familiarize yourself with every aspect of your systems and understand their vulnerabilities.  

In most industrial processing environments, the responsibility of maintaining cybersecurity falls on the automation systems maintenance engineer. Unfortunately, these engineers are often uninformed about the specifics of cybersecurity. This leads us to a critical question; Why is it necessary for the person overseeing automation systems' cybersecurity to comprehend and oversee all automation assets?  

For instance, consider a standard processing plant comprising various control systems, including Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs). A well-run plant should operate continuously, undergoing significant maintenance every two years. There's often a mentality of "if it's not broken, don't fix it," which can lead to inactive hardware being overlooked. In fairness, the number of maintenance engineers at such plants is usually quite small, so it's easy to rationalize this thinking 

Furthermore, renovation and modernization activities over time can create a heterogeneous environment of series, models and system types from various manufacturers. I've encountered situations where outdated cards weren't removed post-migration to newer ones. With time, and due to employee turnover, the knowledge of these systems can get lost, thus increasing system vulnerability.  

Adversaries can and will seek out information about your control system assets to find exploitable weaknesses. If you lack access to the same information, managing your assets and addressing vulnerabilities becomes substantially difficult 

Some might argue that many DCS Original Equipment Manufacturers (OEMs) provide software to log control assets. However, most don't present a simple representation of the interconnectedness of these assets, especially across systems of different brands. There is always room for improvement, although they have evolved over time. But Hexagon's PAS Automation Integrity™ stands miles ahead in this regard.  

Another important consideration is that OEMs usually announce vulnerabilities associated with their hardware publicly but generally don't alert their customers directly. Consequently, it becomes invaluable to maintain a report listing assets with known vulnerabilities and their connections to other assets. This will allow for cautious replacement or removal.  

Today, I'm pleased to say that all this and much more can be achieved using Hexagon's PAS Automation Integrity. Therefore, take the initiative and take stock of your control systems before someone else does!


Ready to learn more? Discover What's New in OT/ICS Cybersecurity.

About the Author

Anshul Agarwal is working as Strategy Enablement Consulting Lead at Hexagon, India. Anshul brings 12 years of industry experience in Automation, Digital Transformation, Vendor Management & Stakeholder Management. He designed and led implementation of latest Cyber Security practices in control systems across power plants. He also contributed to standardize practices for the first Indian Manual for Cyber Security in Power Systems with India Smart Grid Forum (ISGF). He has led Digital Transformation initiatives in various domains viz. Predictive Analytics & Diagnostic Advisory System, Techno-Intensive Physical Security Systems, Asset Management – IIoT, Connected Worker, Smart Documentation, 3D Modelling and Simulators. He also has been instrumental in creating and managing an Innovation Program for Asset Lifecycle Intelligence Strategy & Services division at Hexagon, India. Anshul holds a bachelor’s degree in Electronics Engineering from Indian Institute of Technology (IIT)-BHU, Varanasi, India and has completed Post Graduate Program (PGP) in Management from Indian School of Business (ISB).

Profile Photo of Anshul Agarwal