馃攳
What is OT/ICS asset management? - YouTube
Channel: Langner Group
[0]
what is ot asset management
[3]
what does it do for you and how is it
[5]
different from it asset management
[8]
i'm ralph langer and i'll get you up to
[10]
speed about ots and management
[12]
in this video
[17]
[Music]
[20]
ot asset management is sometimes viewed
[22]
as one of the more boring subjects in
[25]
industry automation
[27]
the idea of maintaining an inventory of
[29]
your ot devices
[30]
worst case done manually and involving
[32]
periodic walk-downs inspections
[35]
is anything but thrilling but that's an
[37]
antiquated
[38]
idea of asset management today all asset
[41]
discovery is done automatically and the
[44]
resulting data can be searched and
[46]
analyzed
[46]
easily what asset management really does
[50]
is to give you a ton of valuable data
[52]
about your ot infrastructure
[54]
that makes it much more easy to maintain
[57]
protect and troubleshoot your systems
[60]
it eliminates guesswork and lengthy
[62]
investigations about the actual
[63]
configuration of ot assets
[65]
from firmware versions to vlan ids be it
[68]
for the purpose of system maintenance
[70]
or for cyber security and that's where
[73]
the real value of ot asset management
[76]
comes in
[77]
proper operation maintainability and
[79]
cyber security posture of ot assets
[82]
depend on multiple variables such as
[84]
software and network configuration
[86]
details
[87]
making this information easily
[89]
accessible and subject to automated
[91]
processing
[92]
is the purpose of an ot asset management
[95]
system
[96]
thereby it makes engineers maintenance
[99]
specialists
[100]
and cyber security experts more
[102]
efficient
[107]
for practical purposes the best way to
[109]
define an ot asset
[111]
is a digital ot device such as a plc
[115]
rtu sensor actuator network switch
[118]
operator panel and so forth an asset
[122]
inventory which is the centerpiece of
[124]
asset management
[126]
stores all the data that is available
[128]
for ot assets
[130]
this data includes hardware make and
[132]
model
[133]
serial number hardware configuration
[136]
such as
[136]
io modules connected to a plc's
[139]
backplane
[140]
software configuration including
[142]
firmware or operating system version
[145]
hardware and software lifecycle status
[148]
installed applications software
[150]
components and security patches
[162]
known cyber security vulnerabilities
[172]
physical location of a particular ot
[174]
asset such as
[176]
site building floor room or cabinet
[180]
a brief description of what the asset
[182]
does
[183]
association with a particular ot system
[187]
such as a production line or distributed
[189]
control system
[190]
user defined tags
[194]
network connectivity and several other
[197]
properties
[199]
in the ot base ot asset management
[201]
system
[202]
all this information is readily
[204]
available for any asset
[206]
by double clicking on an entry in the
[208]
device inventory
[209]
or by inputting the ip address of the
[212]
asset in the quick search field
[216]
asset data can also be accessed by other
[218]
software applications via a rest api
[225]
most ot asset data can be obtained
[228]
automatically
[229]
this is accomplished by querying devices
[231]
on the network using standard industrial
[233]
protocols
[234]
such as ethernet ip modbus or profinet
[238]
each of these protocols comes with
[240]
commands to query device identity and
[242]
configuration
[243]
effect that is widely used by software
[245]
products from the large automation
[247]
vendors
[249]
if you are familiar with passive
[251]
scanning products you will notice that
[253]
their discovery
[254]
process is different because it relies
[256]
on hardware appliances and real-time
[258]
network traffic analysis
[261]
this approach is not used by the
[263]
ot-based ot asset management system
[266]
and i'll explain the differences in
[268]
another video
[269]
the ot base ot asset management system
[272]
discovers assets actively
[274]
using a dedicated software component
[276]
which is called
[277]
otbase asset discovery this software
[281]
which technically is a windows service
[283]
usually coexists with other applications
[286]
for example on engineering stations
[289]
waking up every 24 hours it periodically
[292]
pulls
[293]
hardware make and model serial number
[297]
hardware configuration software
[299]
configuration
[301]
and network connectivity from the
[303]
networks that it is connected to
[305]
which can be local or remote
[309]
this basic asset information is then
[311]
passed via the network
[313]
to the ot base asset center software
[316]
where it is consolidated and made
[318]
available to
[319]
users and other software applications
[322]
the consolidation process may be quite
[324]
complex if you consider
[326]
multi-home devices that are discovered
[328]
using different protocols in different
[330]
networks
[331]
however that's something that the user
[333]
doesn't need to be concerned about
[335]
it all happens behind the scenes
[341]
knowing about ip addresses hardware make
[343]
and model
[344]
network topology etc of your ot assets
[347]
is nice
[348]
but it gets so much better with data
[350]
enrichment
[351]
this is metadata that is attached to the
[354]
core set of asset information
[356]
the result is what we call a deep asset
[359]
inventory
[360]
as opposed to a flat one that only
[362]
contains the bare minimum of technical
[364]
data
[366]
data enrichment makes an asset inventory
[368]
so much valuable
[369]
because metadata is the glue that ties
[372]
assets to
[373]
use cases there are two sources for this
[376]
metadata
[378]
first automatic import and linkage
[380]
second
[381]
user input perhaps the most important
[384]
example for automatic import and linkage
[387]
is
[387]
known vulnerabilities for your installed
[389]
base
[390]
the otbase or the asset management
[392]
system automatically downloads cve data
[395]
from nist
[396]
and matches it against your installed
[398]
hardware and software products
[400]
taking into account any installed
[402]
security patches
[404]
other metadata that is provided
[406]
automatically is
[407]
product lifecycle data for popular
[409]
software and hardware products and
[411]
vendor links that allow you to navigate
[414]
to the vendors product landing page with
[416]
a click of the mouse
[419]
when it comes to user provided data
[421]
think about device descriptions
[423]
user-defined tags or criticality ratings
[427]
that add tremendous value to your asset
[429]
inventory
[430]
however the most basic and most valuable
[433]
item in this context
[435]
is the physical location of a device
[438]
imagine an asset management system that
[441]
will tell you all kinds of technical
[442]
details about a particular asset
[445]
but not its exact location that would be
[448]
pretty much
[448]
useless wouldn't it in the ot base ot
[452]
asset management system
[453]
you can even go further and pinpoint an
[456]
asset's micro location
[458]
such as a specific building floor room
[461]
or cabinet a location can also be
[464]
enhanced with additional metadata
[466]
such as a picture or an interactive
[469]
floor map
[473]
here is one of the most interesting
[474]
aspects of ot asset management
[477]
no matter if you are a control engineer
[480]
an ot security expert or a maintenance
[482]
specialist
[483]
a solid ot asset management system is
[486]
almost guaranteed to make you more
[488]
efficient
[489]
that is at least if your ot
[490]
infrastructure is of a decent size
[493]
with hundreds of networks and asset
[495]
numbers in the five or
[496]
six digits for engineers and maintenance
[499]
experts the asset management system
[501]
helps with
[502]
change management lifecycle management
[505]
and
[505]
troubleshooting consider for example use
[508]
cases in plant planning
[510]
when you are planning a new production
[512]
line you can have ot base produce a
[514]
baseline specification
[516]
for the equipment for this new line with
[519]
just a few mouse clicks
[520]
by cloning the ot configuration of an
[523]
existing line
[524]
and simply changing the details that are
[527]
different
[528]
you can then export this baseline as an
[530]
excel file and provide it to the
[532]
respective vendor or oem
[534]
you can monitor progress by comparing
[536]
the spec against actual installation
[539]
you can streamline the factory and site
[541]
acceptance tests by having ot base
[543]
inform you about any discrepancies
[545]
between spec
[546]
and real life when you think about life
[549]
cycle management
[550]
wouldn't it be great if you could see
[552]
right away which hardware and software
[554]
products that you are using for critical
[556]
functions
[557]
will become obsolete within the next 12
[559]
months or so
[561]
while you may be able to collect this
[562]
information from vendors websites
[565]
the ot-base ots ad management system
[567]
includes this data from many vendors
[570]
and exposes it automatically for your
[572]
installed base
[575]
for system maintenance experts the ot
[577]
base ots
[578]
management system provides answers to
[580]
questions like these
[581]
within seconds when was the firmware
[584]
version changed for that plc
[587]
rtu or network switch that causes
[589]
problems since
[590]
last week how is the digital
[593]
configuration of this malfunctioning
[595]
machine different
[596]
from the similar one that runs
[598]
flawlessly or
[600]
are there any known problems with other
[602]
devices of the same type
[604]
or with other installations of the
[606]
software of vmware version
[611]
cybersecurity has become such an
[613]
important use case in its own right that
[615]
i will discuss it in a little bit more
[617]
depth
[618]
when viewed in the context of the nist
[620]
cyber security framework
[622]
the role and value of asset management
[624]
for ot security is predominantly about
[627]
prevention
[629]
an ot asset management system helps you
[632]
to
[632]
identify insecure endpoints for example
[635]
those with poor patch status and lots of
[637]
particular vulnerabilities
[639]
it also allows you to identify
[642]
automation equipment exposed
[644]
in the enterprise network or on the
[645]
internet
[647]
and finally it helps you to rank systems
[649]
with known vulnerabilities by their risk
[651]
score
[652]
which can be derived from the
[653]
criticality of an asset
[655]
and its network exposure
[658]
the proactive nature of ot asset
[661]
management is highlighted by the use of
[663]
configuration baselines and compliance
[666]
metrics
[667]
think of a configuration baseline as of
[669]
a standard configuration
[671]
that your organization has defined for
[674]
typical systems
[675]
types such as hmi station
[678]
baselines allow engineers and
[680]
administrators to define how systems
[683]
should be configured for example which
[686]
operating system or vmware version
[688]
should run on given assets based on this
[691]
information
[692]
the asset management system can easily
[694]
point out any discrepancies
[696]
that call for mitigation
[699]
asset data and metadata are also
[702]
critical components for threat hunting
[705]
let's assume that your theme has
[707]
detected some funny network traffic
[709]
going to ip address xxx
[713]
this information doesn't give you much
[714]
to work with without any additional data
[717]
on what the device is such as a plc or
[720]
engineering station
[722]
and maybe additional items such as
[724]
criticality
[725]
location and known vulnerabilities
[728]
this is usually called contextualization
[731]
or data enrichment of observables
[737]
finally let's break down how ot asset
[740]
management is different from it asset
[742]
management
[743]
and why you can't use id asset
[745]
management systems for ot
[748]
iit professionals have been doing asset
[750]
management for decades
[752]
so it would seem natural to simply
[754]
extend or copy approaches and products
[756]
used in the iit domain however it has
[760]
never worked
[761]
here are the most important reasons why
[765]
network architectures and iep address
[767]
schemes are different
[769]
it is not uncommon in ot to find
[772]
substantially
[772]
more complex network architectures than
[775]
in it
[776]
many devices are homed in more than one
[779]
network
[780]
network addresses are sometimes reused
[782]
in different subnets
[784]
making it impossible to use ip addresses
[786]
as identifying attributes for a device
[790]
next common id protocols such as snmp
[793]
are not sufficient to discover most ot
[796]
devices
[798]
instead industrial protocols such as
[800]
ethernet ip
[801]
profinet modbus serocos control net
[805]
and others must be used but these
[807]
protocols are not available
[809]
in it asset management systems
[812]
ownership profiles of ot assets are also
[815]
different
[816]
in it it is assumed that an asset has a
[819]
single owner
[821]
this assumption doesn't hold for most ot
[823]
assets
[824]
for example an hmi station or a plc
[828]
usually is not owned by a single person
[830]
but by a team
[832]
or even a whole department as a result
[835]
a dedicated ot asset management system
[838]
is required to do the job
[840]
having that said data sharing between
[843]
the ots advancement system
[845]
and other iot applications and platforms
[847]
is easy
[848]
once that asset information is
[850]
consolidated and normalized by the ot
[852]
asset management system
[857]
let's sum it all up due to growing
[860]
digital complexity in industrial
[862]
automation
[863]
ot asset management has become a basic
[865]
necessity for every asset owner
[868]
it allows engineers administrators and
[871]
cyber security experts to command
[873]
tens of thousands or even hundreds of
[875]
thousands of ot assets
[877]
by accurately keeping track of asset
[879]
properties
[880]
elaborate search queries analytics and
[883]
the ability to attach user manuals and
[885]
other files to devices
[887]
boost engineering and maintenance
[889]
efficiency
[890]
the ability to share asset details with
[892]
third parties such as
[894]
vendors oems and contractors is an added
[897]
benefit
[899]
a major push for ot asset management
[901]
comes from cyber security
[903]
because you obviously can't protect what
[906]
you don't even know exists in the first
[907]
place
[908]
unless details about network topology
[911]
and installed hardware and software
[913]
product versions are available
[915]
systematic efforts to raise server
[917]
security posture
[918]
are impossible when it comes to threat
[921]
hunting
[922]
the asset management system provides
[924]
context for ip and mac addresses
[926]
which is sometimes the only information
[928]
a theme would otherwise have
[931]
if you want to learn more about how your
[933]
organization can benefit from ot asset
[935]
management
[936]
get in touch with with us using the
[938]
contact form on our website
Most Recent Videos:
You can go back to the homepage right here: Homepage