Data Enrichment: The Key to Minimizing IoT/OT Risk
Once the primary domain of manufacturing, logistics, and healthcare organizations, IoT/OT technologies have made their way into practically every industry, from schools and retail outlets to hotels, government organizations, and more.
While IoT/OT technology is outstanding for operational efficiency and unlocking new opportunities, it has also created headaches for IT and security teams. Not only do organizations now have vastly more assets to worry about, but they’re also hard to maintain, monitor, and secure.
In short, the rapid adoption of IoT/OT technology has left many organizations with major blind spots that pose significant security risks. Even worse, since IoT/OT devices are frequently relied on for critical operations, the consequences of disruption are potentially devastating.
So, what can organizations do to illuminate these blind spots?
IT Blind Spots are Far From New
As complexity has risen in business IT environments, so have blind spots.
When an organization has thousands (even tens or hundreds of thousands) of devices, it becomes tough to keep track of them all. Unsurprisingly, these blind spots create a big problem for cybersecurity teams—if you don’t know something exists, you can’t ensure there are tools, policies, or controls in place to protect it. The antidote to IT blind spots is visibility, and IT departments have been fighting this particular battle for decades.
In 1989, the original version of the IT Infrastructure Library (ITIL) was released. It specified practices for IT activities, including IT Service Management (ITSM) and IT Asset Management (ITAM). At this point, the primary concerns of IT departments were:
- Delivering IT services efficiently and effectively
- Adhering to financial requirements
Since this was all long before the advent of network-connected operational technology—and before the Internet was much more than a fringe consideration for most organizations—IT departments concerned themselves with obtaining visibility of more traditional devices (desktops, laptops, servers, etc.) and software.
This information was stored in a Configuration Management Database (CMDB), a term originating from the ITIL framework. IT departments used it to support the delivery of IT operations and services. After all, they couldn’t reasonably expect to deliver good service if they weren’t aware of all of their organization’s IT assets.
So, did it work? Well… kinda.
IT quickly became the business enabler, and organizations started adopting new and more disparate technologies—and replacing outdated technologies—at an incredible rate. This made it extremely difficult to keep track of IT assets… and IT departments fought a valiant rearguard action to keep their CMDBs as close to the current reality as possible.
Ultimately, at any given moment, most organizations would have been forced to admit there were at least some IT assets they didn’t know about.
IoT/OT Devices: Blind Spots on Steroids
Fast-forward to today and organizations face two additional complications:
- Cybersecurity is now the driving force behind IT Asset Management (ITAM)
- IoT/OT devices have caused the scale and complexity of IT environments to skyrocket
While most organizations still have a reasonably accurate picture of their traditional IT hardware, their IoT/OT profile is a different prospect altogether. Connected devices have been adopted at an incredible rate, and their additional complexity and frequently unusual technology profiles have made cataloging and tracking them functionally impossible for IT departments.
The consequences of an incomplete picture of an organization’s IoT/OT profile include:
- Unknown vulnerabilities
You can’t protect assets you can’t see. That includes patches—if you’re lucky enough to have one available—and any other potential ways to mitigate vulnerabilities.
IoT/OT devices are infamous for using unusual, proprietary, and outdated operating systems, making them a tough cybersecurity proposition. Organizations typically use a variety of tools and techniques to secure these devices—including targeted segmentation and micro-segmentation—but these options are only possible when the organization is aware of all assets.
- Increased vulnerability risk
Vulnerabilities in IoT/OT assets may remain open and exploitable for months or years simply because nobody knows how to act on them. This creates persistent cyber risk and leaves the organization open to cyberattacks that could severely disrupt operations or result in a data breach. Also, even old vulnerabilities can become riskier (more exploitable) overnight because someone, somewhere, has decided to focus on them or weaponize them.
- Security tools, controls, and policies may not cover IoT/OT devices
Most organizations have dozens of tools, controls, and policies designed to protect IT assets from cyberattacks. However, a lack of IoT/OT visibility means there is a high chance these devices are not protected in the same ways as other IT assets.
- Attacker dwell time
Unknown vulnerabilities and lack of security coverage of IoT/OT devices don’t just leave them open to attack—they also mean there’s a high chance they could become infected or otherwise compromised without the security team’s knowledge.
IoT/OT devices may become compromised and remain compromised for a long period of time—allowing attackers to dwell within the organization’s IT environment for a long period of time. This may allow attackers to harvest large amounts of data, or move laterally through the network to access further assets, creating greater risk of operational disruption (e.g., caused by ransomware), data theft, and more.
Data Enrichment: Securing IoT/OT Requires More Than Visibility
While IT operations have improved greatly since the 1980s, most organizations still rely on a CMDB tool to manage digital assets. Naturally, the first step in addressing IoT/OT risk is to update the CMDB with all connected device records.
However, since IoT/OT devices are far less standardized than traditional IT assets, simply knowing about each device isn’t enough. An additional step is required: using data enrichment to update IoT/OT device records with contextual information to help IT and security teams understand, maintain, and protect them from cyber threats.
Data enrichment is the process of updating a dataset with supplemental information. In an IoT/OT context, it’s about continuously updating and improving the record of every connected device with a range of contextual, technical, and activity data and intelligence. This gives IT and security teams a better understanding of each device, as well as a clear picture of the wider IoT/OT environment.
Data Enrichment Priorities for IoT/OT
There are three categories of contextual information that are crucial for IoT/OT security:
- Activity data
This is data relating to each device’s status and operation. It includes information such as location, last seen status, active vulnerabilities, whether it’s supported by the manufacturer, current software versions, availability of patches, frequency of use, asset owner, and more.
- Software Bill of Materials (SBOM) data
IoT/OT devices run on software, which is often “built” using various open-source libraries and dependencies. These libraries can—and frequently do—contain vulnerabilities, which may already be known or may be newly discovered over time.
When a new vulnerability is discovered in a software component or dependency, it can cause IoT/OT devices using these dependencies to become vulnerable—i.e., not only does the vulnerability exist within a device, but it is exploitable in the real world. If you don’t have visibility of any vulnerabilities that may be exploitable on each device, your organization is exposed to risk.
Worse, the risk created by unknown vulnerabilities cannot be mitigated by patching a device or through the use of security tools, controls, or policies—because nobody will know to do so.
- Data enrichment from IT and security tools
Finally, an organization’s IT and security tools will contain a wealth of contextual intelligence about any asset connected to the network—including IoT/OT devices. Through integrations, this information can be used to enrich device records, providing additional context for IoT/OT operations and security. Tools that frequently include valuable information include:
- Identity and Access Management (IAM)
- IP Address Management (IPAM) and DHCP
- ITSM and CMDB tools
- Computerized Maintenance Management System (CMMS)
- Enterprise Asset Management (EAM)
- SIEM and SOC tools
- Network Access Control (NAC)
- Cyber Threat Intelligence (CTI) platforms and feeds
Combined, these integrations ensure a complete, contextual understanding of every IoT/OT device along with any potential threats and vulnerabilities, allowing organizations to ensure smooth operations and implement suitable security controls.
Benefits of IoT/OT Data Enrichment
When an organization has complete visibility of its IoT/OT devices and its records are fully enriched with the necessary contextual information—something very few organizations have—it can realize a series of operational and security benefits. These include:
- Faster investigation of cyber incidents. Complete visibility of IoT/OT devices makes it possible to monitor all digital assets 24/7/365 and detect anomalies, threats, and concerns.
- Understand each device’s metadata and capabilities. This helps with everything from finding and prioritizing new vulnerabilities to eliminating weaknesses by making changes to devices or device groups.
- Easy compliance with security and financial requirements. When you have a complete document of record for all digital assets, it becomes vastly easier to ensure and report on compliance with cybersecurity and financial regulations.
- Manage device maintenance and patching. Understanding each device’s software components, services, OS versions, and applications makes it easy to identify when and where patches should be applied to mitigate risks or improve performance and functionality.
- More options for risk mitigation. Since many IoT/OT devices can’t be patched, having a detailed understanding of each device is also essential to support alternative mitigation methods such as configuration changes, micro-segmentation, and targeted segmentation.
Of course, since many organizations manage thousands of IoT/OT devices, the data enrichment process can’t be manual—it must happen automatically and continuously.
Understand and Secure Your IoT/OT Devices with Asimily
IoT/OT devices often come with significant security concerns, such as outdated operating systems, strange configurations, proprietary software, and more. It’s frequently difficult to fix these issues directly with patches, as they are often unavailable, unsupported by the manufacturer, or would impact a device’s intended operation.
To make matters worse, acquiring the information discussed in this article can be challenging. Actively scanning IoT/OT devices can result in device malfunction or failure—clearly, not an option for most organizations utilizing these technologies.
Asimily makes it easy to maintain an updated and fully data-enriched inventory of all IoT/OT devices that is aggregated, deduplicated, and normalized. This inventory is maintained continuously using passive network scanning techniques that don’t affect device operation or functionality.
To find out more about how Asimily can help your organization safely, efficiently, and reliably build and maintain a continually updated, data-rich view of all your IoT/OT devices, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.