DefenderSphere

A lot of people might question why foundational technologies aren’t in the center. It’s because they are only part of the solution, and because the OEMs bring them in to solve a particular problem. Most OEMs don’t even fully disclose exactly what they pull in from this section and the components will be obfuscated as “firmware” or whiteboxed with the OEMs’ name. This isn’t a judgement or even a bad thing, it just is what it is. As the industry has evolved to ask better questions, the OEMs are becoming more transparent. However, as the foundation is updated, the asset owners need to know what they are up against, and so finding a solution that peels back the layers to get at the foundational components is required to help manage this piece of the pie.

This is often a complex discussion between the OEM, VAR, integrator, and/or the customer. As we have some former asset owners and OEM members on our team, and often have to dance between these groups as we do Industrial Defender implementations, we are all too familiar with the complicated dance that can happen here. It is also why it is its own category and not under Foundational Technology. This space is often complicated by the most basic question — “who’s responsibility is it?”. This can range from anyone I’ve already mentioned or even 3^rd party service providers. To make matters even more complicated, it is often handled through a combination of responsibilities, where the system builder will furnish and manage the “weird stuff” that runs the industrial protocols, the customer will manage the edge switching infrastructure, and a 3^rd party will manage all the routers and firewalls. Getting a complete understanding of your risk profile in this situation is very hard to manage, and really requires the ability to get them all into single console to keep up with them, and for the asset owner to hold everyone accountable.

These providers often play a critical role in the intermix between the previous three sections and those that follow. Asset owners often rely on them to fill in the blanks and guide them through these complex integrations. They can be valuable partners to help reduce complexity, but again the asset owner is always ultimately accountable for the risk at the end of the day and finding solutions that create transparency is critical in having meaningful conversations with these partners.

The rest of the categories we are going to go through in order of the CIS Top 20 Critical Security Controls. We’ve long been supporters of this methodology to “get security done”.

Simply put, asset visibility is the beginning of any well run security program. There is not a complete control frame work on earth that does not agree this is a must, and a very early must. You simply can’t manage what you can’t see. Passive is not enough. Agents are not enough. Python scripts of ping sweeps are not enough. It also doesn’t end with just an IP address or the hardware device itself. You need to understand the software on the device. One without the other is just half a solution. That is why when you are looking at solutions, finding one that has the most comprehensive asset identification technology is key.

This is about being able to help identify known vulnerabilities. A good solution addresses vulnerabilities and not just patches. In the ICS world it also needs to do this passively and support technology that is much older than most commercial IT vendors are willing to support. It’s even harder when they bring a cloud requirement that is violating your hard fought ISA-99 implementation and are initiating layer 5 connections down into layer 2. This isn’t just a patch management discussion either, as often that’s a no-go. It’s about understanding your total risk picture and making sense of it in a straightforward way. Again, the goal here is to find a partner that understands these complexities, has the trust of the OEMs or the ability to gain it, and can give the asset owner transparency into what’s really there and what’s available.

Some might argue there is no difference between asset visibility and asset management. But there is, and it’s about setting standards and monitoring against them. Asset Management means you can easily run reports to see your progress or lack of it. Asset Management also means assigning ownership, maintaining it, and making it easily accessible. You’ll need asset management when your SOC (internal or 3^rd party) gets an alert they don’t understand or need to take action on so they can easily identify who and how to contact the right people as quickly as possible.

Some might argue that these are two different things, and they wouldn’t be incorrect. At this point, however, these controls need to be running in parallel. Again, this can be really complex to manage between all the different players in the ICS world. It’s also a place where traditional vendors struggle to support ICS in the long run. One example is still having to support Windows XP in today’s environments. Understanding true long-term support performance vs promises and breadth of coverage for both endpoints and account management systems is important. Also, when it comes to access management, breadth of integration support is very important.

It might seem weird that security hasn’t been mentioned until now, but it’s an order of operations thing. The power of these solutions is only unlocked when you’ve done the basics. Having intel without the ability to apply it makes little sense. If you can’t search your environment for the existence of the indicators, you haven’t really accomplished much.

ITSM will see a lot of overlap from a vendor perspective. However, this is more about the other features of the IT Service Management than just Asset Management. It’s about the next phase of leveraging the Asset Management data and then tying into other systems from patching to change management to work tickets. Rightsizing and ecosystem integration are key values here. Why force yet another tool into your plants or risk a vendor issue when you can use a tool that’s already there, and then have it integrate up as needed.

These vendors can really help you take your program to the next level. They play an important if tangential role and will really help close any of the loose ends in your program.