There was a simpler time, not so long ago, when no one really had to worry about securing their operational technology (OT) devices; a time when you could enjoy all the benefits of connectivity and remote access, without the ‘muss and fuss’ of secure passwords or firewalls.
Those days are gone. As Fred Gordy so powerfully writes for FacilitiesNet, “Devices are now in the hacker’s crosshairs.” If that isn’t on your radar, you’re already behind.
I recently wrote about understanding cybersecurity in the context of building automation systems. Cybersecurity can seem overwhelming, but the National Institute of Standards and Technology (NIST) framework is a fantastic way to break down key security elements.
Of course, each piece in this framework is significant. They all contribute to a safer cybersecurity environment.
But there’s one that I really want to highlight for you: it’s identifying and tracking your assets.
Why asset management?
Asset management is one of the biggest tasks for cybersecurity. At the end of the day, you can set up all the passwords and firewalls and virus scanners you want. But if you don’t know what’s on your network, you can’t protect it. It’s as simple as that.
Yet so many people I talk to are at a total loss of how to manage their assets. They have out-of-date spreadsheets that no one’s in charge of maintaining. They don’t know how many devices are on their network. And they don’t know where to begin with creating a system to keep track of it all.
How should you start?
You’ll almost certainly go through some trial and error to find a workflow that suits your organization. It won’t happen overnight. The right system is really dependent on the size of your network, criticality of services, how closely the IT and OT departments work together, and so many other factors.
As one example, Princeton University manages devices through a process to assign IP addresses. Anyone who wants to install a new device has to fill out a form and submit it to the central IT organization. This form specifies what the device is, where it will be located, and other pertinent details. From there the central IT organization assigns the IP address, sets up VLANs, and does whatever else is necessary to get the device up and running. Learn more about how Princeton manages devices and IP addresses.
That’s an excellent way to empower everyone to take part in managing assets, that doesn’t become a scattered array of spreadsheets and out-of-date lists. For your organization, it might look different. Maybe you have asset management software that everyone collaborates on, or a spreadsheet that one person owns. The important thing is to start developing an asset management process.
I know, asset management is a behemoth of a project. (That’s why so many people don’t do it!) Even so, getting a handle on your assets is worth it. Of course, asset management will help make your team more efficient: you can manage maintenance schedules and budgets, or find and troubleshoot devices much faster. But cybersecurity should be your biggest motivator to dust off your device lists.
I urge you to ask yourself: do you know about every piece of hardware and software on your network? Do you have an up-to-date record of all those assets? And do you know who has access to them, physically or remotely? If you can’t answer those questions, today’s the day to start changing that.
Originally published on Automated Buildings.