Inventory in OT - No device may remain undiscovered
In previous blog articles we covered the importance of gaining an accurate overview of your OT environment through a device inventory, as well as using structured OT vulnerability management techniques. Here, we applying both of those concepts to different types of OT devices.
OT devices include all endpoints that communicate internally or externally, whether it's a handheld scanner or a multi-million dollar piece of
production equipment. Capturing, categorizing and inventorying every single endpoint is one of the bigger challenges in OT. Endpoints often
include an eclectic or even exotic mix of systems and sometimes very old applications and operating systems.
So which endpoints are in use and how should they be inventoried?
Industrial PCs or Windows computers:
Here it is important to collect software and hardware information centrally and update the data regularly. Only by knowing the specifics of your installed hardware and software from an endpoint inventory can you plan for updates that offer greater security, added features or higher performance. Older systems that need to remain in operation can at least be compartmentalized to decrease their security exposure until updates or replacements can be installed. Outdated software poses security risks that require prompt attention. Regularly patch your operating system, as well as specialized and other installed software.
The share of mobile devices for controlling production machines and robots is continuously increasing. Android-based handheld devices for logistics and intralogistics also are being used more frequently because they are flexible and relatively inexpensive. When delivered, such devices may still have access to device settings and Google Play store enabled. It’s important to inventory these devices to determine their configurations and installed apps until you can enroll and configure them for Android Dedicated Devices/COSU to limit them to their intended use.
Routers from different suppliers are often installed in a production facility to give the manufacturer remote maintenance
and settings access. Do you know which routers are used in your network and what their settings are?
In addition, there is an infinite number of other endpoints at your site that can be detected via SNMP. Switches and printers are common examples that rarely get attention during a network inventory. With no visibility for these devices you won't be able to identify authorized or unauthorized devices, those that need updates or that you should otherwise check more closely. Scan your network environment regularly for SNMP devices.
Programmable logic controllers:
Here’s where you’ll most frequently find outdated firmware. As a rule, the operating systems of controllers are rarely if ever updated. Often, the company maintenance department, a third-party contractor, or the machine manufacturer itself is entrusted with updates and maintenance. But that does not mean you can overlook or assume that security on these endpoints is already taken care of. To drive that point home, the bad guys are also aware of the state of controller firmware. In fact, the number of cyberattacks via controllers and remote maintenance access channels is growing and will continue to increase along with networked production. Here again, know the status of what is installed on your network at all times.
There are very many different types of endpoints, each of which have different inventory requirements. If you’re not inventorying and
managing them comprehensively then you're leaving a variety of vulnerabilities exposed. Ideally, you should capture and inventory all endpoints in one secure, centrally
managed system and keep it up to date.
By the way, the pitfalls of not maintaining a comprehensive and current inventory of OT endpoints are not limited to cybersecurity. For example, not knowing the status of software licenses could making software audits painfully time-consuming and expensive.
Let us know if you’d like some guidance or assistance with production network endpoint inventory. We are happy to help!