Asset inventory is a significant part of a comprehensive security plan for all organizations.  After all, if you do not know what assets you have, then you cannot manage them.  Even a small company can amass a surprisingly large amount of assets.  It is no surprise that accounting for all of these assets can be like chasing a moving target, as new and old assets must be accounted for, and conversely, decommissioned assets must also be removed.

Sometimes, there are assets within assets, such as when a proprietary piece of hardware runs an open source software product.  The proprietary nature of such hardware makes it difficult to check if a particular software component is vulnerable.  The opposite is also true, where a chip inside a piece of hardware is vulnerable.

The Challenge of End of Life Announcements

In an industrial environment, asset tracking is compounded by both physical and logical sprawl.  One of the greatest challenges occurs as a result of End of Life (EOL) announcements from manufacturers.  When a manufacturer indicates that a device is no longer within its useful life and it no longer meets intended use, and that will no longer be supported, the device should be replaced.  Also vendors no longer provide operating and security updates to products, which should also warrant replacement.  Too often, an outdated device possesses the exact weakness required for exploitation, leading to a security incident.  This could result in costly downtime. Yet, replacement is not always the case.

Industrial equipment is highly specialized, and as such, can incur high maintenance costs.  Newer equipment does not guarantee less maintenance requirements.  That, among other reasons causes some operators to reason that, if production lines are working fine, there is no need to (Read more...)