BKD: Hello and welcome to the second episode of our “Operational Technology Cybersecurity – the vital next step in digitalization” podcast series on HxGN Radio. I’m Beth Keener-Dent.
In this episode, together with Edgardo Moreno, executive industry consultant at Hexagon’s Asset Lifecycle Intelligence division, we’re talking about Asset Inventory, which is the foundational element in OT/ICS cybersecurity.
This podcast series is created in partnership with Petroleum Economist and also broadcasts on PE Live Podcast, and this conversation is moderated by Karolin Schaps, a regular contributor to Petroleum Economist. Thank you for listening and we hope you enjoy.
KS: Hello and welcome to PE Live Podcast. My name is Karolin Schaps. I’m a regular contributor to Petroleum Economist, and it brings me great pleasure to present episode two of this three-part podcast series titled Operational Technology cybersecurity – the vital next Step in digitalisation, brought to you in association with Hexagon. Today’s episode is titled “Asset Inventory: The Foundational Elements in OT/ICS Site Security,” and it is presented in association with Hexagon’s Asset Lifecycle Intelligence division.
Asset inventory is the foundational step in any OT/ICS cybersecurity programme across different industry sectors. However, there are so many other business initiatives that benefit from a comprehensive inventory, including price and safety, reliability, effectiveness, and sustainability. This podcast will explore the advantages of utilising inventory asset management across the enterprise to make it one of the most powerful tools in your business strategy. In this podcast, we’ll discuss what’s a good OT/ICS asset inventory looks like, how a good OT inventory helps reduce risks and improves plant operations, where common inventory blind spots occur, and how to overcome them. The first episode in this podcast series is available online now, and the third and final episode in the series will follow next month.
I’m pleased to be joined by Edgardo Moreno, executive industry consultant at Hexagon. Edgardo has 20 years of experience in operational technology and six years of experience in OT cybersecurity, first joining Hexagon in 2007, working in a range of positions worldwide.
Hi, Edgardo. Thank you for joining us.
EM: Hello. Hello, Karolin.
KS: I’m very much looking forward to today’s topic. Would you like to say a few words about what we’ll be discussing?
EM: Sure, sure. Thank you for the introduction and thank you for having me. Yes. Today I’m very excited and looking forward to discussing and provide my little grain of advice to the industry in regard to asset inventory, as you mentioned, that foundational element in OT/ICS cybersecurity and how we can leverage on these asset inventory to help or benefit other initiatives like you mentioned, process safety, operational effectiveness, reliability, sustainability and others.
KS: Right. Well, let’s dive straight in. And maybe we can start with a very broad sort of question about the inventory system, and that is why is a well-managed OT/ICS inventory in the oil and gas sector so important?
EM: Yes. Well, first of all, I think there are two aspects to your question I’m going to point out. One is the importance of having an inventory specifically for the oil and gas industry, as you mentioned. But this concept of inventory is essential for every type of industry. Inventory is extremely important because it gives you visibility of the things that you need to take care about and the things that you need to manage in your business. In the specific case of the oil and gas it’s so important because these assets that we have on these industrial facilities are considered to be part of critical infrastructure of a country. So, in order for these facilities to operate safely and efficiently, we need to make sure that all of the assets are protected from incidents independently, whether or not they are cyber related or operational as well related. So, we need to avoid having incidents on any of these assets because they can have very drastic consequences for the safety or environmental or economic perspective as well.
Now the other aspect of the question about well managed basically implies that once that we have the inventory we need to do something meaningful and useful with that inventory. Having a complete inventory and putting it to work and doing something that you need to do is very important. We have companies in you know, probably I’m going to mention that later, but if you don’t document your inventory, basically the inventory is not going to be as useful and as efficient for differing initiatives as you need it to be. It’s very, very important for managing risk and for other initiatives. But putting information, documenting the inventory about what’s the impact for each one of the assets that you have in your inventory for safe operations, for sustainable operations, for obsolescence management, as an example, which is a very important initiative that we see more and more in the oil and gas industry. So, examples as well of how well you need to document your inventory or manage it is what critical functions and processes these assets support or are essential for.
Also, it’s equally important to keep changes and manage changes over the time and making sure that your inventory is up to date and updated accordingly.
KS: Yes, I think you’ve explained that quite nicely what the benefits are here. I’m wondering whether you can mention any specific examples from your client base where somebody has applied a very good OT/ICS inventory system and has prevented a bad situation.
EM: Yeah, very good question. So, I think if you look at the incidents in the industry, specifically in the oil and gas and other industry sectors as well, most of the incidents they have occurred because they didn’t have a good inventory, in my opinion, or they didn’t have visibility of something that was critical for their business and they did not identify that as a critical asset. So that is a good example of not having a well-managed inventory. As an example, having a software is great, a programme that was not considered to be critical or that could have been used as an attack vector. Not having a recording back up for a critical system as well is a good example. You should have a strategy for backing up your critical systems.
So if you look at all the incidents it’s because there was a blind spot, something that was not being managed properly, that was not documented properly, and that did not have enough security controls or mitigation strategies to prevent these type of incidents.
KS: Yes. I think avoiding the blind spots is probably the key message here. And I’m wondering whether you could explain to our listeners who are maybe looking at their own inventories as well, what would a really high-quality OT/ICS inventory look like?
EM: Yes. So, inventory basically is everything that can be of value to an organisation, a very generic term. And that includes not only cyber assets, but people, functions, processes, contractors and, you know, third party supply chains. A lot of different aspects that can be considered as part of your inventory of different things, assets in general. When you go into these cyber assets specifically and these OT/ICS environments, a good inventory in my opinion, all of the software, the hardware, the firmware services account, sensitive data, all of that information that is running on your devices are cyber assets and across different network layers. You know, having an inventory of what assets I have and not having a visibility of what is contained or what information holds these assets is incomplete. And it will not give you the level of detail that you need as an example to make a risk assessment of the asset. That is, in my opinion, what a good inventory is specifically for the cyber assets or their inventory can be referred to a lot of different aspects in the industry, but specifically with ICS cybersecurity and cyber assets that in my opinion are getting it to work.
KS: And specifically in the oil and gas sector, how can a good inventory really help, you know, those risks that operators face out in sometimes very harsh environments?
EM: Yes. So, good point because that’s one of the things that you need inventory for. As I mentioned before, the inventory of the assets that you have, it gives you visibility of what you need to protect or what you need to manage and care about. So, in order to reduce risk, you know, you need to enrich your inventory and document the inventory with information about your business. With this, I mean that you might have an asset operating under, as an example, certain conditions in your business or your organisation that’s of totally different importance and criticality than another area peer in the industry that is using exactly the same asset. So, every business is very particular. Every industry sector has their priorities, their business objectives. So, you need to document the inventory with information that makes that inventory useful for your business.
And managing and reducing risk is all about prioritising critical assets. So, what are my critical assets from the ones that are less critical? That’s what risk management is about. So, I can make decisions where I need to expend my investment, my efforts and resources to bring risk to acceptable level for my business. That’s what all risk management is in a very generic term. So, if I have a dollar, where should I spend a dollar? And if you have an inventory and it lacks documentation, right, it’s not very useful to help reduce the risk because you have no awareness of what your critical assets are, what are the consequences of an asset being attacked or being out of operations for process safety consequences or process safety for cybersecurity and even for the sustainability of the business. So that’s why having an inventory, a well-documented, a well-managed inventory is essential for managing risk as well.
KS: Absolutely. And that definitely takes us back to the blind spots that you mentioned earlier as well. Obviously, those everybody is looking to overcome and avoid. And I was wondering, in your experience, particularly in the oil and gas sector, what are the common blind spots there and how can they be overcome?
EM: Yes. So, these oil and gas industries, these facilities, industrial facilities that we have in the oil and gas sector, specifically in the downstream, you have very old legacy systems, systems that have been operating for more than 20-plus years. These systems that were put in place and they don’t have connectivity to the Ethernet, they don’t have IP addresses behind. So, the fact that they don’t communicate with the modern protocols, depending on the technology that you have to collect that inventory, you might be leaving blind spots because these assets, they cannot be obtained. The inventory from these assets cannot be obtained using network monitoring as an example, and that will leave some blind spots because you just can’t see them using network traffic or network monitoring. They are not connected to the network because they are very old and they don’t support the modern protocols. So that is one example.
Another example is that in the oil and gas industry, you have systems that are very critical from a process safety perspective like safety systems, that’s an example of those, where those systems are very protected and they are sometimes isolated from the network. So, but they are very, very important for the business. So, you need to have visibility of everything that is running on those devices, the changes that are happening with those devices as well. So that’s another example in the oil and gas industry sector.
Some other industries, you know, they have newer systems operating and newer protocols that can be obtained through network traffic. The oil and gas is specifically and very particular, you know, we have very old legacy systems that do not support these newer protocols in the industry.
KS: That’s an interesting point you make actually, and I’m sure, especially in the oil and gas sector, you know, which is a relatively old sector if you want, it’s been around for a long time, the legacy systems can sometimes provide a bit of an extra risk. And I’m wondering from your experience, Edgardo, is most of the sector already at the sort of next step with replacing those legacy systems? Or is that very much still a work in progress?
EM: Yes, very interesting question. So, these legacy systems that are operating in these facilities, unfortunately, and that’s one of the biggest difference from OT, operational technology, and IT. In IT, usually, you know, in the IT world you have computers running operating systems that every three years they are easily replaced. Every three years or four years, you see Microsoft comes up with a new operating system. We just again, we need to upgrade the computers. We do an upgrade, not a problem at all.
In this industrial environment, unfortunately, we cannot apply technology like that, like in ‘90. And that’s one of the biggest differences. These systems have been operating for, as I mentioned, more than 25, 20 years sometimes. And they cost a lot, a lot of money first. And you cannot just disrupt the process to do an upgrade. Upgrades, they have to be planned. They have to be approved. And these are huge investments from the operator owner perspective. They are huge investments to upgrade a system to a newer version to replace all the operator stations is not just doing an upgrade on an operating system.
So that’s an example of the challenges that we have in this area about migrating to newer versions of the systems. Some vendors, they are happy with this system that is being operating and it’s doing its job and they don’t want to move to a very costly investment just to upgrade the system. So those are some of the challenges and you know that I know that we face in the oil and gas industry.
KS: Let’s dig a bit deeper into those challenges. So, you mentioned costs. You mentioned the physicality of the assets being a bit of a hurdle. They’re constantly upgrading to the latest standards. What other hurdles out there that are preventing oil and gas service companies from adopting a more sophisticated OT/ICS inventory management systems?
EM: Yes. So, I mean, I think nowadays every oil and gas company out there, they must have some kind of inventory initiative, some more mature than others, some better managed than others. But, you know, in Excel or relying on the vendor or the integrator to provide that in some kind of work file. So, there is some inventory, that’s clear. I wouldn’t say that a company will not have inventory at all.
But I think the most common challenge is defining what a complete inventory looks like and what are the details. And I’m referring to the previous question, right, that an inventory should have. There are many initiatives, as an example, where they haven’t started covering just the IT infrastructure on the industrial networks. On these industrial networks, ICS networks, we do have some IT infrastructure running on them as well. So, we’ve seen that companies, they want to do a step by step approach and they want to have visibility of those assets first. And this causes issues sometimes specifically on the selection of the technology, because you might select the technology that is not the best fit to collect the data from lower layers on these industrial networks. So, you are collecting first as an example, the IT devices or the IT infrastructure running on the control networks. But then you need to collect the controller network, the instrument level, etc.. So, there are a lot of other devices that cannot be collected using conventional solutions that use conventional IT protocols. That’s what I mean.
So not having a definition of what a good inventory should be or should look like, I think is for me one of the most common challenges in the industry. You have your OT security programme and then you start doing a step by step approach, but without having visibility of what you are looking in the future to have as a good inventory. So that’s one example.
The other challenge that I see is you have differing initiatives sometimes that require the inventory. Some initiatives, they require a better quality inventory than others. But the point that I’m trying to make is that you have disjointed initiatives, each one of them working towards the same goal, having a complete inventory for what seems to be a complete inventory.
So as an example, you might be having a group or a department working on obsolescence management and they need an inventory and they have certain requirements for what an inventory looks like for them, a good inventory looks like. And then you have cybersecurity or OT security department working on another initiative and they have other requirements what good inventory or what’s the first step for an initial inventory. So, you have two different initiatives working on a schedule, which is inventory. And then still you are spending resources, money, time and technology looking for different technologies that at the end of the day, in my opinion, is inefficient to work in that way.
So that comes again to the definition of what you need as a good inventory. And if you can combine as many initiatives as you can and have a common goal as the inventory, in my opinion, that should be a lot more efficient.
KS: Yes. I think that’s an interesting point again. And I’m wondering, you know, the oil and gas sector very much thrives on partnership, you know lots of companies working together on very complex, big project. I’m wondering from your point of view, does that ever, you know, the fact that different companies work off different operating systems, does that ever produce any challenges on project or people working together in terms of them using different systems, having different maybe also, like you said, different definitions of a good inventory system. Is that a problem for the industry?
EM: You have risk management and risk management has different disciplines and you can see operational res, you can see obsolescence management. So, the fact that there is not a common OT security programme or OT risk management programme that includes all these different initiatives that, in my opinion, makes this duplication happen because you have a specific department in charge of an initiative that is very related to another initiative, just like it’s not being decided as strategically as hard these other initiatives. It is very similar or it has aspects of risk management as well that you need to manage. So that, in my opinion, is one of the things that I think prevents initiatives to be combined and consolidated into one big initiative that could be more efficient and more useful to the business and the organisation.
KS: And what would you advise clients who are maybe facing such a situation in terms of how they can overcome this, what’s a good way to work together better with a well-managed inventory system?
EM: Yes. Define, you know, how the inventory can help on different business objectives of the organisation. So, you have your organisation, you have your business objectives. So, let’s say how inventory can fit into each one of these business objectives. And then you can define it from a strategic point of view what initiatives can be combined and consolidated so you don’t duplicate or you don’t start working on silos and getting different technologies, and then you end up with a silos of technology, some of them getting more than others. And you don’t get, you know, best management of your resources of your investment because you are having this joint initiative.
KS: We’re approaching the end of the podcast, but I just wanted to ask, Edgardo, as a last kind of question, it’s always quite nice to have some real life examples of how these systems have improved the things in the oil and gas sector. I was wondering if you could maybe run us through an example from your oil and gas client base where an improved OT/ICS inventory system has really led to better results.
EM: Yes. I’m not going to name customers because that’s probably not allowed. I’m not allowed to probably name customers by names. But we have several customers and clients in the oil and gas and chemical sectors as well where they have defined what’s the level of detail that they need in their only cybersecurity programme. What is it that they are after, you know? And they have identified as well other areas for all these cybersecurity problem. As I mentioned they identified obsolescence management. They have identified that future project extension, for example, needs to also make use of a good inventory. So especially reservations and availability of experts on the field are also equally important. So, they have defined very strategically at a very early stage of the OT security programme or OT risk management programme, what are all the things that they are going to have to look into the future to guarantee just ICS cyber security, obsolescence management, sustainability of the business reliability, safe operations, efficiency, etc. So, they have identified all these requirements at a very early stage and that allows them to go out into the market and look for the right type of solution, minimise the efforts in their initiatives because they have a very well defined idea of what they are looking for. So, you know, they have combined resources as well, investment. Everything is very well optimised to go out on the market and spend the dollars to business on whatever they need to look for to make sure that the inventory they get is good for and very complete for all these different initiatives that I mentioned before.
KS: Right. Thank you very much. It was a nice run through. And in fact, that’s the end of our podcast, Edgardo. Thank you so much for this very insightful run through of what a good OT/ICS asset inventory system looked like.
Thank you all for downloading this episode. Don’t forget to subscribe to PE Live Podcast to get notifications of the next episode and to listen to previous episodes on demand.
EM: Thank you very much, Karolin.
KS: Thank you, Edgardo.