Skip to main content

OT/ICS Cybersecurity

Industrial Control System Asset Visibility: Protecting More Than 1%

Author Iain Wallace

If you don’t know what you have, you can’t look after it properly. This is what happened to the British Museum in London. According the BBC, over a 30-year period, an employee of the museum is alleged to have stolen up to 2,000 artifacts from storage, either damaging them or selling them on eBay. The museum failed to notice that the items, which were not on display, were missing. Many were not in the catalog, or the catalog was altered to hide the evidence.  

It seems unbelievable that they could have missed all these thefts for so long, but the British Museum holds eight million items. Imagine having to look after them all! In many industrial facilities, it is a similar story. Automated control systems look after thousands of interconnected digital assets, each of which has configuration information ranging in complexity from a few values to programs and large datasets. For both the museum and industrial facilities, it would be ideal to automate inventory gathering and asset management. 

The British Museum only displays about 1% of its collection at any given time. The rest is in storage. When staff members continually remove, work with and return items to storage, it is difficult to prevent theft. This is a problem in industrial facilities, too. However, for assets connected to industrial control systems, a faulty, missing or powered-off asset should be detected, e.g., by digital status values or by zero current in 4-20 mA wiring. 

Another advantage of automating inventory is that industrial control systems can then be regularly backed up using the configuration files, saving all the information about assets, including their interconnection and configuration. The control system should be able to recover from backup in the event of, for example, a complete loss of power. Hexagon’s PAS Cyber Integrity® software uses all the relevant information from these backups to build a model of the industrial assets. It combines these with information from IT devices like computers, switches, routers and firewalls to build a multi-vendor comprehensive asset inventory for industrial sites covering Purdue Levels 0 to 3.5. This inventory is evergreen since it is regularly updated whenever new backups are available.  

Cyber Integrity provides a consistent way to manage the configuration of industrial and IT assets through a single pane of glass. Our customers benefit from vulnerability and patch management, policies and compliance to protect their assets from cyber threats. With the automated asset visibility and management from Cyber Integrity, our customers are not facing such a massive challenge as the British Museum. It’s good to be vigilant, as we could all do with less worry in our lives. 

About the Author

Dr. Iain Wallace is a Senior Solution Consultant with Hexagon. In his current role, Iain supports customer projects, capturing requirements and providing training and demonstrations of Hexagon's ICS cybersecurity and operations management solutions. Iain began his career in the nuclear industry (UKAEA and Scottish Nuclear) doing mathematical modelling, shielding and criticality before receiving his PhD at Heriot-Watt in chaos theory and nonlinear optics. His experience spans engagements with global companies in the areas of research, consulting and solution design for Sword, Amor Group, Lockheed Martin and Leidos in addition to Hexagon. Outside of work you can find Iain paragliding, cycling or playing piano.

Profile Photo of Iain Wallace
Follow on Linkedin More Content by Iain Wallace