By Heinz-Uwe Gernhard, IT-Security, Robert Bosch GmbH, Erbach
In the context of IT security, the Operational Technology (OT) operator must have a comprehensive knowledge of the assets within his systems, production facilities and lines. This knowledge is also fundamentally linked to the need to identify vulnerable values and is one of the foundations for risk analysis and risk management.
In the past, operators often neglected the information in the OT environment. They often included no additional information aside from the system name, a device name, its IP address and location. Further information necessary for the operation and especially for the evaluation in the sense of a risk analysis and the resulting use for security measures were not recorded.
The documentation was limited to simple lists or Excel sheets, which only enabled a limited wider evaluation and benefit. Furthermore, the maintenance and traceability of changes were usually not subjected to a systematic process, but were left to the competence of the respective responsible persons - including all the associated risks.
The solution is CMDB
However, the demands for more connectivity and integration in the OT area, their increasing merger with IT, and the associated risk assessment imply the need for a more detailed and process-oriented documentation and administration of OT assets. This requirement can be displayed usefully via the Configuration Management Database (CMDB), a technology established in the IT sector. In the IT sector, it is the basis for a wide range of services in the context of the IT Infrastructure Library (ITIL). It contains the Configuration Items (CIs), i.e. all the equipment of IT and OT with their attributes.
In addition to hardware, networks, interfaces and communication relationships, this includes information on software, its versions, configurations and patch statuses as well as further information such as service level agreements (SLA), IT services and license management. The CMDB is also the basis for escalation and emergency management and for verifiable compliance with compliance requirements. The CIs are under the control and review of a change management.
Investing in such an extensive implementation, including the necessary organizational and process structures, is usually only affordable for medium-sized and large companies. Nevertheless, it is also worthwhile for small companies to use the concept's approaches to be well-prepared for the future.
For OT operators who can fall back on the existing structures of their enterprise IT, it offers the opportunity to integrate their CIs and thus to use them for their applications.
The classical problems of OT represent a major challenge here: They include the extreme heterogeneity of the hardware and software of the CIs, an extremely long operating life compared to IT, service and operating conditions under the main aspect of availability and the lack of support for an automated collection of basic data. Here, large manual processes are usually necessary.
A possible approach for small companies that choose CMDB-based administration is to initially limit themselves to a smaller level of detail of the CIs and to define and map only relevant relations. This can be done in the course of an exemplary risk analysis of a line or system. The data basis then forms the basis for recording the entire OT and also provides the basis for future risk assessments.
Practical example: Remote service portal
An example of such an iterative approach is the implementation of an internal central remote service portal. The data of the CIs (assets), their communication relationships and the resulting, necessary processes and services were based on the protection targets and possible weak spots determined by a risk analysis as well as the resulting measures for risk minimization.
A mapping was then carried out in an existing CMDB, which in turn was expanded by attributes which had previously not played a role in the IT area, but which were relevant in the OT context.
From application to conclusion
The process of a remote session from the application to the conclusion of a session can be outlined as follows: For a CI in OT, an authorized employee initiated the need for remote maintenance via web-based ticket management. The affected CIs and the corresponding relevant attributes from the CMDB were determined from the target address of the remote service. From these attributes, the organizational as well as the technical parameters could be sourced and transferred to the participating authorities.
The attributes were determined as part of a risk analysis, by means of remote, user, ticket, security, asset, certificate and device management. It was particularly helpful that the existing attributes of the CIs could also be graphically edited and displayed.
From the results, the necessary organizational and technical measures for the concrete implementation could then be derived and determined for implementation in the affected instances. This also included the change, incident and problem management for the operation.
Advantages and difficulties
The relatively high expenses resulting from the utilization and combination of risk analysis and the use of a CMDB now present their advantages in the planning and implementation of new systems.
One of the greatest difficulties for an automated transfer into the CMDB was the heterogeneity of the CIs and the lack of support from integrators and component suppliers in the standardized provision of the attributes of the supplied CIs. There is a need for action on the part of all involved - manufacturers, integrators and operators.
Risk management becomes indispensable
The necessary costs associated with the implementation of a CMDB are not to be underestimated. Nor are the accompanying changes in the organizational structure and the processes. However, the future requirements for networking and communication and an increasingly indispensable risk management make it clear that no approaches can currently meet the challenges. The required convergence of IT and OT will also lead to a harmonization of the tools, standards and approaches, even if there will continue to be different characteristics in the details.
vdma.org: Industrial Security | VDMAimpulse 03-2017: "The invulnerable machine" | VDMAimpulse 03-2017: "Comprehensive security concept" | VDMAimpulse 03-2017: "Securely networking existing machinery" | VDMAimpulse 01-2016: "Security - A moving target"