Some of the cybersecurity guidance – do this; don’t do that – may seem frustrating and even irritating to defenders at times. As organizations of all types and sizes are currently dealing with an unprecedented volume and frequency of ransomware attacks, much of “said” guidance is being repeated and amplified. Some pundits have rightfully chided that the guidance isn’t always helpful, practical, or even attainable for most organizations. However, perhaps one thing could arguably be an exception – asset management.
Much of the current guidance seems nearly impossible to adhere to due to organizations not knowing what they have or need to protect in the first place. It’s like throwing darts at a blank wall – no target, no baseline to focus on for maximum effectiveness or understanding on how to improve your game. Dragos puts it this way for OT asset owners and operators, “Operators require tools that make their jobs more efficient, and the easier it is to establish baselines, the quicker they can spot deviations. For example, at shift start having the ability to view a simple dashboard that highlights any problematic PLCs in red while displaying stable operator consoles in green, makes it easier to focus on areas requiring attention.” That’s why WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities includes Perform Asset Inventories at #1. Gaining visibility of assets is a challenge, but it is not unattainable. Undoubtedly, without visibility into key assets, much of the cybersecurity guidance understandably goes by the wayside. For more about the importance of asset visibility in industrial environments, check out this first post in a series by Dragos.