• logical inventory (the network locations of assets);
• physical inventory (the real locations of assets); and
• security system inventory (what security solutions are in place, and where they sit).
Performing a physical inventory provides crucial insight into who has access to the asset; it also allows for a visual inspection of the asset, which can lead to important information that isn't available through other means. For example, have some assets on the plant floor been powered down or decommissioned? What about assets that aren't plugged in, or that have open ports, switches and modems that are supposed to be turned off when not in use? Does an asset have multiple network cards for accessing different network segments? Laboratory information management systems and centralized data historians are good examples of assets that often connect to multiple networks. Without a visual inspection it would be easy to miss this information, which is an important consideration for incident response plans and backup and restoration programs.
It also is essential to inventory existing security applications, including where they sit and how they function. Most facilities have at least a dozen isolated lists of information provided by various security applications or point solutions — for example, user security settings in Windows Active Directory, an inventory of critical systems in the backup system, anti-virus, intrusion-detection and patch-management applications, network access rules and controls (acceptable paths, what machine can connect to which network), and various sets of documentation ranging from policies to procedures to checklists and technical standards.
A detailed cyber inventory underpins many of the subsequent steps in creating a best-practices compliance program, such as identifying and addressing vulnerabilities and establishing mitigation and remediation plans. The more accurate and complete an inventory, the easier it will be to make thoughtful decisions about a security program, including understanding the impact on operations of rollout of, say, an anti-virus application.
INTEGRATE DATA SOURCES
Once the inventory has been completed, the challenge is tying this information together for a holistic view of the plant's cyber assets. There's no sense in pulling all these data from the various areas and duplicating them in a separate database (doing so would create an information management nightmare). The alternative is to compile a "master list" of all information sources in a facility with links to the supporting data and underlying information. This higher-order database is similar in function to a site map for a complex website, and is really a logical model of a facility. Most plants likely can generate it from the inventories they've already completed. This master list enables sites to keep tabs on their critical information, provided processes are in place to ensure it's kept up to date.
A key aspect of managing a security program is integrating all security data sources and making that information accessible and actionable.
Take the example of an access request. Whether the request is for electronic or physical access, most facilities today would need to go to a host of spreadsheets to cross-reference the user name against training records, electronic access clearance level, and even background or clearance checks. The bits and pieces of the information plants need to determine whether to grant the request reside in various data sources, formatted differently in each. Now imagine a single interface able to display a user and list his or her specific clearances, training and certifications taken (with time stamps).
Tools to automatically monitor and manage the security program as well as document changes are essential to a robust security management program. A tool that interfaces with best-in-class security software, e.g., for protection against viruses, patch management or backup/virtualization, can provide immense value in managing a plant's data and security program — if it's set up right, that is. A recommended approach is to implement a database with front-end portal capabilities for viewing relationships and interdependencies and reporting on them.