Using Enterprise Asset Management Systems To Protect Critical Infrastructure

By Graham Drinkwater and Edward Liebig

In this post, we will to tie together threads from two previous posts. The first is about Enterprise Asset Management (EAM) systems and how they have built a major IT component into tasks that most people don't associate with IT, such as maintenance of industrial equipment. That post focused on Maximo, a leading EAM product, but the points we make here will apply to any EAM system.

The other post addressed the security challenges of industrial control systems (ICS), which automate much of our critical infrastructure and, when connected to the Internet, become targets for cyber attack. Businesses seeking agility and reductions in operating costs -- both financial and environmental -- are increasingly implementing "smart" systems and, in the process, are connecting ICSs to the Internet without mitigating the concomitant risk. Our ICS security post was prompted by an article in the Washington Post last June (part of its Zero Day series) which focused on the growing black market for Zero Day vulnerability information. As a natural segue, the series highlighted ICS vulnerabilities and the dangers zero day exploits  represent.

Here's the connection. Industrial control systems are often found in environments managed by EAM systems. And these EAMs can be a great aid in securing ICSs.

The most vexing ICS security problems are associated with old industrial plants, which account for much of the critical infrastructure in the United States. For example, the newest oil refinery in the country is about 40 years old. The equipment, software and control systems in that refinery constitute a network, but it is a network that evolved decades before the modern information systems that comprise the LAN/WAN in the same plant, and it is not resilient to modern threats and attack techniques. Nevertheless, the old network does its job very well, and replacing it would be a very expensive proposition.

It is not possible to secure the ICS in the same way that the LAN/WAN is secured, for reasons that may justify a separate post. However, the first challenge in ICS security is to understand where these devices are, what they are, and how they operate. Old ICSs cannot be "discovered" or "mapped" with the usual network management tools. Their documentation may consist of only the original hand drawings. There may be no record of upgrades to software or firmware.

However, an old plant is probably managed with the help of an EAM system. That system and the maintenance tasks it generates can be leveraged to create an ICS map.  This can be done by piggy-backing on regular maintenance tasks. The EAM system generates a schedule for maintenance of every machine in the plant. When a technician is deployed to maintain a particular machine, that occasion can be used to record details about the ICS hardware and software, such as make, model and software patch version. The technician may need additional training, but that's a minor investment of resources compared to other ways of accomplishing the same end.

The information captured by the technician can be recorded in the EAM system, along with whatever additional documentation may exist for the device. When this has been done for all ICSs, the system will be able to generate a comprehensive ICS map. The map provides the necessary starting point for assessing the value of each ICS and the appropriate investment in its protection.

Then, and only then, security experts can begin to think intelligently (and creatively, if necessary) about how to achieve the necessary level of protection for each device.  Here again, an EAM system can help. Once ICS details have been entered into the EAM system, these devices can be managed just like other assets. Maintenance schedules and records can be established. When a new vulnerability is discovered, the system can identify any ICS to which it may apply.

Bottom line: By using an EAM system to manage an ICS, the accuracy of ICS data is increased multifold while the time required to inspect, risk assess and maintain the ICS is reduced considerably. So security is increased at the same time cost factors are decreased.  And all this comes from a system that's already in use. Bargains this good don't come along very often.