You can’t manage what you can’t see. In many manufacturing operations over time, new equipment gets added bringing in new connections – wired and wireless. Over time, it is easy to lose visibility of the myriads of connections – any one of which could be the vulnerability that gets exploited in a breach.
Most activities which seek to improve the resilience of the operations infrastructure (OT), start with a thorough inventory (scope) of what’s there. Good inventories establish not only what devices and connections are there, but their purpose and relationships to other devices.
There are software tools which can help with this that are routinely used in IT environments. This is a good time to seek out advice and work together with your IT team. They may be familiar with some of these tools or be able to get information on what is available and how it works. These tools may not be familiar to the OT engineers - who are perhaps rightly suspicious of the introduction of tools that could potentially interfere with the steady-state operation of this environment.
This can be a great opportunity for a win-win situation - as long the participants take the time to educate each other about the context that come with this.
Some of the tools are simple, open-source and non-invasive\non-disruptive (such as Wireshark). The more powerful tools can potentially be disruptive especially in legacy networks (open-source example, Nmap). The tools may also require network changes in order to use them effectively. Plans need to be made for any potential disruptions. If these risks cannot made acceptable, the tools can’t be used. IT and OT need to work together to make these determinations.
It is worth noting that, if there are devices on the network that are sensitive to activities like scanning, that can indicate a vulnerability on its own. If there is a time when the operation is down, it may be worth scanning a network just to see which devices are “fragile.” A device that cannot respond robustly to a scan is a weakness.
The data that will be generated from these tools needs to be understood in the context of the infrastructure. Again, this is where the OT engineer is required, to interpret the connections and devices.
It may not be unusual for the OT network to be used to communicate “permissives” – data about equipment status that allows other equipment to proceed. The OT network may also be used to communicate signals between controllers or between remote IO and the controllers including solenoids or variable frequency drives. In these cases, the OT network is part of the control network. This is information that the OT engineer must know and bring to the inventory and scoping process. The importance and criticality of these may not be well-understood by the IT team.
Once a good and complete asset inventory is prepared, plans can be made to improve it. Steps like network segmentation, server and switch hardening, further auditing and network improvements become possible. The stage is also set for continued monitoring of the inventory which then can be the basis for detecting and managing changes.
It can be a sensitive subject for the OT team to admit that they do not have a fully documented and well-understood OT network topography. However, that is the point of this activity. Sharing knowledge, learning and improving is the purpose of this activity and should lead to a more secure OT infrastructure. It is the shared responsibility of both the IT and OT teams to protect and enhance the reliability and security of the company assets. That can only look good on performance reviews.