Dan Ricci on OT/CPS Visibility and Risk Reduction

Show Notes

ICS Advisory Project founder Dan Ricci joins the Nexus Podcat to discuss how to turn operational technology (OT) and cyber-physical systems (CPS) visibility into actual risk reduction. Dan describes the need to distinguish between asset lists and actual asset inventories, what those differences are, and how to make the most of the information made available. Device data such as firmware versions, protocol identification, and more are vital to other aspects of the OT and CPS protection program, including exposure management and segmentation initiatives.

Dan wrote more on this topic in this article: “From Inventory to Insight: Turning OT Visibility into Concrete Risk Reduction.” 

This interview was pulled from Episode 4 of Nexus Digest. 

Subscribe and listen to the Nexus Podcast here. 

Transcript

SPEAKER_00 0:13

All right, welcome to episode four of Nexus Digest. Dan Ritchie, the founder of the ICS Advisory Project, and uh day one, Nexus Contributor joins us today. Uh Dan and I are going to discuss an article he wrote recently that was titled From Inventory to Insight. And basically the article talks about how to leverage OT visibility to achieve concrete risk reduction. So it's great to see you, Dan. How are you doing?

SPEAKER_01 0:40

Doing well. Thank you, Michael. Great to be here.

SPEAKER_00 0:44

Yeah, thanks for uh giving me a few minutes. I'm glad the audience is going to get to hear from you on this. Um, so let's talk about your most recent contribution. Really great stuff. It's going to be linked here uh in the video. Uh, and I urge everybody to read it, share it internally. There's a lot of valuable information in here. So basically, you start off talking about how a lot of organizations, you know, get these asset lists from their tools, whatever they might be. And they kind of think of that as an asset inventory, and you distinguish between the two. So tell me a, you know, I I think it's a it's a good table setter kind of question. How do you view the two in terms of differences?

SPEAKER_01 1:25

Well, uh asset list is your basic enumeration of the your devices, the IP addresses assigned to those devices, if they're assigned with static IP addresses, the physical location, device type, whether it's PLC, HMI, historian, uh, vendor model. But like getting into like when you start to get into the asset inventory site, that starts to have like higher highly more contextual data. Now we're looking at you know the firmware and software version is associated with it. Are there uh specific um advisories, vendor uh vulnerability advisories assess attached to that that are applicable to that asset? Are they been patched or not, right? What the patched asset are, or they're not gonna patch it. That's fine too. What are the compensated controls that are in place to protect it? Uh, what is the communications relationship between that that asset, you know, the data flow between that device and the and the rest of the OT uh environment, uh whether it's communicating with another PLC or it communicates only directly with the with the uh SCADA server. Um, then you gotta look at uh what's the what's the criticality of that asset? You know, what's the process impact rating of that? Is it a crown jewel? You know, it's essential to that uh to the uh business industrial operations or not. Uh what's the owner, who's the owner of that asset and the responsible party who maintains the operation and maintenance side, uh process uh control engineer, uh instrumentation control engineer that might be responsible for that device. Uh what vendor support status? You know, we talked about whether this it's uh whether it's an end-of-life product. So if it's end-of-life, there's no longer patch support for end of service, or that uh specific um control system uh asset is no longer supported by the system integrator or or the company went out of business, that's very possible as well. And then, you know, when was the last time that asset was seen on the network? So there's a lot more to just having, you know, uh asset device list. So hopefully that's uh um a help helpful distinction between uh the two two pieces here.

SPEAKER_00 3:46

Yeah. And how good are existing tools in providing all that context? I mean, uh how much of that is automated versus manual, I guess is what I'm asking.

SPEAKER_01 3:54

A lot of it can be automated uh with a lot of the products that are out there. There's uh passive tools out there that can help with do this asset identification, uh, such as like Wireshark, T Shark. You can use uh Network Miner. There's these are all like kind of open source products that you can help to start to build the the um the asset list and you know the rest of the asset inventory data you'd want to bring into it, uh, then you have tools uh that can help you start to identify the the um vendor uh vulnerability data. Uh ICS Advisory Project supports it. You can use SysA directly, you can go to the vendor's uh website for the asset if they're still they still exist. Uh, then you can also look at um uh using the vendor to also help identify the you know what the most current firmware version that should be running on that software. Right. Identifying it um within the environment, within your environment, you might be able to identify it through passive packet capture, full content, um doing identifying the data flow between those networks. You can look at your flow data between uh and that can be done all passively using uh your um your existing um uh network infrastructure. Um uh you can use um uh your logs from your your your router, your from your router. You can also look at uh your switch configurations. I mean there's configuration analysis is very powerful and and trying to fill these gaps and trying to provide that asset inventory picture. So um, I mean we could I could go on probably a lot longer about this.

SPEAKER_00 5:44

You in the article too, you referenced um Sys's OT inventory guidance, and you mentioned that inventories should be organized, regularly updated, physically validated. How difficult is that? Are those steps and and how often are organizations actually going that extra mile if it's an extra mile?

SPEAKER_01 6:06

I wouldn't be able to speak directly on how um how many like asset owners are actually uh going in that direction, but I will say that SISA does a very good job providing the step-by-step guidance, although it might be high level, gives you the the a great starting point for uh building your asset inventory. I I want to say it very much aligns with you know giving asset owners the foundational information to to uh to scope, you know, understand the objectives. Uh a point that I really didn't touch on in the last last piece was like, you know, how do you identify the uh your crown jewels? And that's a lot of that comes down to understanding what the risk of uh to that specific asset is to uh you know your organizations or business operations.

SPEAKER_00 6:59

So that really becomes like a business impact discussion at that point.

SPEAKER_01 7:03

Yeah, yeah. I mean it's classified by you know function and uh criticality. Um the SISA um OT uh asset inventory guidance hits on it as hard as like creating a taxonomy, right? Of classifying by function and criticality. And then, you know, another piece is you know asset inventories are and asset management in general is is is a living document, it's not a static document. So you're looking at you know managing that data, uh, and implementing an asset lifecycle management, you know, tracking it to end of life, you know.

SPEAKER_00 7:43

So once you have that inventory, give me some examples of what it can be used to enable in terms of the rest of the security program.

SPEAKER_01 7:53

Obviously, it's very foundational, and you probably can't start anything else without a decent inventory and visibility into what you have, but well, I mean key point is of having an asset inventory or is understanding what your organizational risk and then how to defend it and how you can actively defend it, because now you have the ability to understand what the baseline configuration of those assets are, uh, which is is so if there is something that does occur in your environment, if uh your that asset is a is um is manipulated in a way that is off its known baseline, you can identify that rather quickly. It helps tremendously in incident uh response. Uh, because that way you're you're able to really know for sure, you know, there there was there was definitely a change made, but who made the change, what was you could you could start to do the root cause analysis of understanding what happened, uh, because you know uh you know, based off of like the known configuration, that uh something happened on the device that uh tampered with uh the current configurations, like a set point was changed, uh a um uh a um a connection or a configuration to uh um devices that it normally does not communicate with, now is communicating with it, or it's making connections out to uh a uh a public IP when it should only be communicating on private IP addresses within the environment, or it's communicating with a device that it's never communicated with before. So having uh that asset inventory allows you to detect uh possible indications of compromise.

SPEAKER_00 9:48

And so just kind of as a last thought, I mean, how do you how continuous is this in in terms of as a as a process, as an exercise? How do you keep it from being just kind of a point in time thing that really isn't useful? How just give me some advice in that in that direction.

SPEAKER_01 10:09

I think that's more than more than uh a technical, more than just a technical challenge, it's a it's a a people and process challenge, right? And having a a uh identifying those roles of responsibility that can enable and sustain um the management of uh of uh solid acid inventory, uh leveraging uh technology to automate and reduce uh the amount of time it would be to uh gather and maintain, but also develop a schedule that would address uh what can't be covered by uh passive uh monitoring, like a physical uh inventory that's maybe done annually to kind of help uh keep this alive over over time. Also, I mean uh some organizations um are contract out a lot of their um uh ICS uh OT uh uh asset uh operations and maintenance. So uh looking at their contract and seeing how that might help them uh maintain and track uh their their asset inventory and hit on uh maintaining uh uh baseline configuration uh information and ensuring that's documented and maybe out of that uh they produce a uh a uh a file that can be integrated with the current asset inventory for uh for management. It's the only way I think organizations could really stand uh top and uh manage risk because you know visibility only matters when it drives uh real and continuous uh risk reduction, right?

unknown 11:59

Right.

SPEAKER_01 11:59

For small and medium OT environments, uh security success isn't measured on you know how many tools they have deployed and how many assets are discovered. It's measured by whether risk is actually going down over time, right? Uh, and also uh whether you know every alert, every scan on every uh asset should uh feed into like their cycle of prioritization and action and validation. Uh it kind of moves the organization from a posture of like hope to uh one of uh resilience.

SPEAKER_00 12:36

And that's the goal, right? Resilience.

SPEAKER_01 12:39

Yeah, it's it's it's not um something that uh is uh is hope's not a plan. Yeah. But having having a plan having a plan is is uh is key to uh being successful in uh in recovery in a lot of these situations.

SPEAKER_00 13:02

All right, Dan. I think that's a good place to leave it. I want to thank you so much for coming on and uh I appreciate the great work on Next as always.

SPEAKER_01 13:09

Likewise, thank you for that.

SPEAKER_00 13:11

All right, Dan, take care.