ICS Asset Visibility: I Came, I Saw, I Conquered

Anshul Agarwal

Remember the saying "I came, I saw and I conquered?" I'm referencing Julius Caesar because it perfectly describes a hacker's method. The more a hacker understands a system, the quicker and more efficiently they can exploit it and potentially cause significant damage.

A notable example of a sophisticated cyber-attack is the infamous 'Stuxnet.' This computer worm targeted machines running Microsoft Windows systems and networks, specifically seeking out Siemens Step7 software. Without prior knowledge of their systems, conducting such an attack would've been impossible.

Therefore, to protect your systems from similar assaults, you should think like a hacker. Familiarize yourself with every aspect of your systems and understand their vulnerabilities.

In most industrial processing environments, the responsibility of maintaining cybersecurity falls on the automation systems maintenance engineer. Unfortunately, these engineers are often uninformed about the specifics of cybersecurity. This leads us to a critical question; Why is it necessary for the person overseeing automation systems' cybersecurity to comprehend and oversee all automation assets?

For instance, consider a standard processing plant comprising various control systems, including Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs). A well-run plant should operate continuously, undergoing significant maintenance every two years. There's often a mentality of "if it's not broken, don't fix it," which can lead to inactive hardware being overlooked. In fairness, the number of maintenance engineers at such plants is usually quite small, so it's easy to rationalize this thinking.

Furthermore, renovation and modernization activities over time can create a heterogeneous environment of series, models and system types from various manufacturers. I've encountered situations where outdated cards weren't removed post-migration to newer ones. With time, and due to employee turnover, the knowledge of these systems can get lost, thus increasing system vulnerability.

Adversaries can and will seek out information about your control system assets to find exploitable weaknesses. If you lack access to the same information, managing your assets and addressing vulnerabilities becomes substantially difficult.

Some might argue that many DCS Original Equipment Manufacturers (OEMs) provide software to log control assets. However, most don't present a simple representation of the interconnectedness of these assets, especially across systems of different brands. There is always room for improvement, although they have evolved over time. But Hexagon's PAS Automation Integrity™ stands miles ahead in this regard.

Another important consideration is that OEMs usually announce vulnerabilities associated with their hardware publicly but generally don't alert their customers directly. Consequently, it becomes invaluable to maintain a report listing assets with known vulnerabilities and their connections to other assets. This will allow for cautious replacement or removal.

Today, I'm pleased to say that all this and much more can be achieved using Hexagon's PAS Automation Integrity. Therefore, take the initiative and take stock of your control systems before someone else does!