While testing our latest feature, continuous inventory, with our clients, we observed that up to 30% of their devices were missing from their manual inventories.
This is a considerable security gap. After all, you cannot secure what you cannot see.
As this seems to be a widespread issue in the industry, we wanted to cover the topic in depth. In this article, we’ll explore the causes of these omissions, cover the security implications, and discuss the value that an automated inventory based on OTSPM principles can provide.
An audit revealed we had over 400 devices in our plant, around 30% more than the 300 we had registered in our inventory. Most were devices that don’t require much maintenance, like power meters and sensors.
Most of those devices were so simple that we didn’t think on tracking them, and a few were missing due to quick changes that we forgot to reflect on the inventory.
Moving to a continuous inventory has completely changed the way we think about security. It’s been a game changer.
CIO, Leading automotive industry company
Why are Devices Missing From Manual Inventories?
If you keep a manual inventory, many reasons can lead to omitting some devices or changes.
Maybe you have very simple devices you set up and forget about, like a power meter that won’t receive any firmware update. You read measures via a monitoring dashboard and don’t interact directly with it. As it is that simple, you consider it secure without thinking much about it.
It also happens that when you are in the middle of a bigger project, you do a quick hack to fix something, and then something more critical grabs your focus. You convince yourself that you’ll take a proper look later on, but that temporary fix ends up becoming permanent. As it was temporary, you never registered the change in the inventory, leaving a permanent drift.
And most commonly, mistakes happen. When you manage hundreds of devices, it’s easy to omit one change in the inventory or mislabel it into another device.
Manual processes are flawed by definition, and so are manual inventories.
An Unattended Patch of Attack Surface
So, what if you miss something in your inventory? Is it a big deal?
As we said earlier, you can’t secure what you can’t see.
All those devices will have vulnerabilities and require firmware updates. An attacker could access one of them and exploit any known vulnerability as they are connected to the network.
One of those devices could become an unexpected entry point to your network, or attackers could change their configuration to impact production. There’s plenty we could speculate about.
What’s sure is that you’ll have a hard time investigating what happened. If the device is not accounted for in the inventory, you probably won’t think about it during your investigation. By the time you realize what happened, it may be too late.
How Does Automated Inventory Help?
Automating is always the first step in avoiding manual steps.
An automated inventory usually relies on an agent that periodically scans your network, pinging all your devices and detecting everything.
With this information, the agent can provide a deep and always up-to-date picture of your infrastructure. It is that easy. No matter what changes you perform, they will always be reflected in your inventory.
If this agent knows how to talk to your devices, it can fetch meta information, such as device models and firmware versions.
This information is key when you are managing hundreds of devices. Enriching your inventory with metadata and making it searchable turns an unmanageable inventory into a useful tool.
The deeper the agent can go into fetching this context, the more valuable your inventory will be. Here is where solutions with multi-brand support shine. If you can differentiate a PLC from a Raspberry Pi directly from your inventory, you can spot suspicious devices that shouldn’t be there.
Beyond Automated, Continuous Inventory
Is an automated inventory enough for security engineers? I personally don’t think so. Maybe that’s why no one bothers keeping an updated inventory; there’s little value in a simple list of your devices.
However, when you take into account the OTSPM principles of correlating data between security tools to detect more threats, things change.
Within the OTSPM framework, the inventory is the keystone of security.
When you integrate your inventory with vulnerability management, compliance, and threat detection, you obtain a new dimension of context that will speed up your prioritization or investigation of security incidents.
Enabling Actionable Security Insights With Metadata
It’s good If your agent has multi-brand support and can gather metadata from all your devices, but it’s better if you can take action from all that collected intelligence.
Let’s explore two examples.
If your inventory solution gathers your device’s model and firmware version, it is only one step away from correlating that data with the manufacturer’s feed of updates. Once you do that, you suddenly have a list of devices that need a firmware upgrade. It’s not only practical, but you also have automated the check for a common compliance requirement.
When handling many devices, leaving the default configuration untouched is common. This is dangerous with the default credentials, as they are the first any malicious actor will check. Checking for devices using default credentials is another check an inventory can perform once it knows a device’s brand and model to keep you safe.
Completing the Inventory Continuously
Inventory agents perform their scans periodically, once or twice daily, which is enough to keep a picture of your infrastructure. But what happens with malicious devices that may connect intermittently to avoid discovery?
That’s when complementing your inventory with network detections comes in handy.
Most threat detection tools are independent of the inventory. You may get an alert from a device not registered in the inventory, and that’s all the information you get.
If, instead, you continuously update your inventory with the data collected from the network activity, you’ll have a complete history of a suspicious device whenever you get an alert. For example, when was that device seen for the first time, or what other alerts are related to that device?
Going one step further, you could configure your threat detection to alert you the first time it observes a new device in the network. That way, you could spot and investigate suspicious devices as they speak to the network.
It’s Not Only the Shot but the Whole Movie
Imagine having a timeline that shows when a device was first seen and all the software updates and configuration changes that have occurred since. Wouldn’t it save you lots of time when investigating some security incidents?
Maintaining that changelog is an unbearable task if done manually. However, it is trivial for an automated inventory. The tool already collects the data; it just needs to display it.
With that view, you could easily spot what change made a device fall out of compliance or spot the moment an attacker compromised a device.
Conclusion
Manual inventories provide little value and are tedious to maintain. Due to this lack of motivation, they often become outdated.
However, this is a dangerous way of thinking. You can’t secure what you cannot see, so inventories must reflect the reality of a deployment.
Inventory is the cornerstone of security and becomes invaluable when updated continuously and integrated with the rest of the security tools.
The industry is adopting new technologies at a blazing speed. However, it also needs to adapt to the changes in the security landscape. Here is where OTSPM tools are leading the way in keeping industrial deployments safe.
Expand your reach with OTSPM
Discover how Safetybits Continuous Inventory accurately tracks your infrastructure so all your devices are accounted for.