Decoding the “Ownership” Anomaly in Asset Risk Management: When the Asset Interface Dictates Security Product.
Introduction
Let’s consider a simple scenario – you have Lexmark printers connected across several locations in your organization through different interfaces. A simple question arises – who determines the risk level for that asset across the organization while it's connected using different interfaces?
“Ownership” anomaly #1
Some printers are connected in your OT environment where they are managed by cybersecurity solution A, while others are connected in your IT administrative environment where they are managed by cybersecurity solution B.
Why is that? Why should their risk-managed differently? – because the overall approach for years has been to differentiate between the business-critical OT environment (and fortify it) and that of the “standard” IT back-office environment. Significant investments were made to airgap the OT environment, making sure that no one on the outside can disrupt business continuity.
Business risk management wise, I would argue the following – if you are an in the energy (petrochemicals) sector and your IT infrastructure, responsible for shipments, procurement, and logistics is under attack, disabling your ability to ship your gasoline and fulfill your organization’s business mission, then your overall business continuity is disrupted, and the fact that your OT environment is still operational does not actually allow your company to meet its business goals. On a separate occasion, an external subcontractor comes in to debug or upgrade some PLCs/RTUs/HMIs using their external laptop, which is usually connected to the subcontractor’s IT infrastructure, its risk is not managed by the OT cybersecurity solution, although it has significant impact on the overall risk level.
So having a unified view of all your assets with their respective Asset Risk Factor (ARF) is crucial in generating complete situational awareness of all your risks – without the abstract distinction of IT/OT/IoT.
“Ownership” anomaly #2
An even more strange “ownership” anomaly lies in the fact that the interface in which Lexmark is connected determines its asset risk management owner.
The same Lexmark printer may be connected to the Internet using different interfaces as it supports – USB wired Ethernet and WiFi connection. Who then owns its asset risk?
If it’s connected over USB, then it is managed by the device control within the XDR.
If it’s connected over wired Ethernet, then it’s up to your NAC/ZTNA/other network security solution.
Lastly, if it’s connected over WiFi, then there’s a third Wireless monitoring solution responsible for it.
You can easily spot the issue here – three different solutions, each with its own, different, risk management scaling scheme, for the exact same asset, operating in silos (assuming the organization has all these solutions in place) is a sure recipe for disaster.
Conclusion
An asset is an asset with certain elements of inherent risk, the fact that it is located within a certain part of the organization or the fact that it is connected through a specific interface, should not change the way we manage this risk. Converging IT/OT/IoT in your organization and being indifferent to the interface type used by the asset is a key component in better managing the risks related to a certain asset, so that when a new vulnerability is found, getting a quick answer for the questions – Do we have this type of asset? Which interface this vulnerability applies to, would be just a couple of clicks away…
Sepio’s approach
Sepio serves security teams who need to manage the risk of their continuously expanding, uncontrolled ecosystem of connected assets and IT departments that do not want to be burdened with complications, noise, or costs.
With Sepio, assets connected by anyone, anywhere, with any usage – or none at all – will have no effect on security and IT teams’ processes and resources.
Sepio leverages the physical layer to provide a new dimension of complete asset visibility with a built-in Asset Risk Factor score. Unleashing the power of the entire asset security ecosystem, we provide actionable visibility and infinite scalability that is critical to asset risk management.
We provide measurable advantages for any IT department seeking to converge their IT/OT/IoT security scheme, reduce hardware clutter, optimize efficiency, and remove redundancy, headache, and costs.