OT / IoT asset management

notverypunny

Anyone have any thoughts / recommendations / experience with regards to keeping tabs on an OT environment? The only thing that seems to be out there from a discovery and management perspective seems to be OT-BASE https://www.langner.com/

Does anyone know of any alternatives beyond a network scanner and some spreadsheets?

1337

@notverypunny said in OT / IoT asset management:

Anyone have any thoughts / recommendations / experience with regards to keeping tabs on an OT environment? The only thing that seems to be out there from a discovery and management perspective seems to be OT-BASE https://www.langner.com/

OT systems are in general documented in a static way and for good reasons.

The physical assets that OT controls, have a much longer lifespan than anything IT related. Think 20 years or more. So the documentation need to be around for the same amount of time and it's hard to use an asset management system when that system will likely be obsolete itself in a few years time.

In other technical areas such as electrical, mechanical, HVAC etc, they have standards for how things should be documented. Their documentation have a lifespan of many decades. Unfortunately IT and OT documentation by extension, are still in the dark ages.

My suggestion is to document manually in a markdown based wiki. That way your documentation can live on for a long time, can be transferred to different systems when needed and will be flexible enough to document whatever you might need.

Excel spreadsheets are not suitable because you really need to be able to do free text documentation for a lot of things. You will need the flexibility that a wiki has.

Besides keeping tabs of your equipment you also need data flow diagrams, what ports are in use, required firewall settings and whatnot. Markdown can't be used for drawing but the files can be linked, pdfs can be generated and everything stored in the wiki.

You should combine your manual documentation with automatic scanning to detect undocumented changes, security issues etc. You could potentially have the result of the scanning fed into wiki pages. That gives you the ability to view everything in the same wiki system.

CyberX (recently bought by Microsoft) have a system that can scan and detect security issues especially for OT/ICS/IoT systems. Probably do asset management as well. I've not heard good things about them in the past but it might be better now.

1337

You also need to consider what it is you want the documentation to actually be used for and by whom.

If you have different roles you might have network, security and sysadmin/tech (servers, devices etc). Their documentation needs are probably quite different.

For example:

• physical network layout
• switch configuration
• cabinets, racks drawings, locations and wiring
• optical fiber runs, type, length, usage/spares
• physical servers, location, warranty information
• device location, type, firmware level, IPs
• workload inventory
• application settings and configuration
• application data flow between devices, IPs and ports
• application support, contracts
• security zone config, firewall settings
• security compliance documentation

etc, etc...

notverypunny

@Pete-S said in OT / IoT asset management:

You also need to consider what it is you want the documentation to actually be used for and by whom.

If you have different roles you might have network, security and sysadmin/tech (servers, devices etc). Their documentation needs are probably quite different.

For example:

• physical network layout
• switch configuration
• cabinets, racks drawings, locations and wiring
• optical fiber runs, type, length, usage/spares
• physical servers, location, warranty information
• device location, type, firmware level, IPs
• workload inventory
• application settings and configuration
• application data flow between devices, IPs and ports
• application support, contracts
• security zone config, firewall settings
• security compliance documentation

etc, etc...

Yeah, I hear you...

One of the other guys is lead-ish on the user endpoint stuff for now and there's a product in place to help with that.

My main concern for the present effort is getting an accurate picture of what SCADA / OT etc devices we've got in the environment so that I know if action has to be taken or flagged to the appropriate controls group when vulnerabilities are flagged online.

Ideally it'd be something like Nedi but for OT-type devices.

Netbox is great for static documentation and the sky seems to be the limit with regards to how much it can be expanded.
There is an integration with the fusioninventory plugin and agent that I'm already familiar with for GLPI, just haven't taken the time to investigate it.

Equally, GLPI has a lot of potential for some of this but couldn't do what I needed to with regards to documentation for our site-to-site networking.

1337

@notverypunny said in OT / IoT asset management:

My main concern for the present effort is getting an accurate picture of what SCADA / OT etc devices we've got in the environment so that I know if action has to be taken or flagged to the appropriate controls group when vulnerabilities are flagged online.

Sounds like your needs are primarily security centric.

Give cyberx a look then. It's now called Microsoft Defender for IoT but it covers SCADA and other OT tech as well. https://azure.microsoft.com/en-us/services/iot-defender/#features

I do have a lot of experience with documentation of these kinds of system in a variety of industries, like manufacturing industry, pulp and paper, chemical plants etc.

In a lot of cases automatic discovery can be problematic and won't work.

If you have a lot of control systems, most of the manufacturers will have tools that can keep track of their own devices. Especially when it comes to DCS systems that you'll find in larger installations.

You will likely need some kind of hybrid approach.