In new asset inventory guidance, the Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation and partners emphasize the importance of proactive planning, collaboration between IT and operational technology teams, and integration of cutting-edge technologies that can help organizations stay ahead of potential cybersecurity and operational threats.
The guide, released Aug. 13, outlines the steps for developing an OT asset inventory and taxonomy, and what's needed to ensure their ongoing reliability when securing critical infrastructure.
WHY IT MATTERS
An OT classification system that organizes and prioritizes OT assets based on their function and criticality can enable organizations to better identify which assets in their environment need to be protected and, then, structure their defenses to reduce the risk of a cybersecurity incident disrupting their operations.
In healthcare IT, this is an unsung priority, experts say. Katie Moussouris, Luta Security's CEO and founder, advises healthcare organizations of all sizes to ensure they understand all their assets.
"You'd be surprised at how quickly ransomware threat actors will take advantage of the fact that you don't know what you have, but they do," she told Healthcare IT News in May.
While CISA and its partners in the Joint Cyber Defense Collaborative were largely focused on the energy and utilities in developing the "Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators" guide, the agency advises all critical sectors to create an asset inventory and OT taxonomy, which provides a classification methodology for components and systems and helps organizations make more informed technology decisions.
The asset inventory, a comprehensive and regularly updated list of an organization's systems, hardware and software, enhances efforts to optimize resource allocation, plan maintenance and implement upgrades.
By improving the understanding of the relationships and dependencies between different legacy and cloud assets and processes, organizations elevate their cyber-resilience. Overall, it's an effort that is not only necessary for building a modern defensible architecture but also establishes a framework for enhancing data analysis, according to the guide.
The inventory, which is enhanced by an OT taxonomy – a classification system that organizes and prioritizes OT assets based on their function and criticality – is a multi-step process that involves defining the scope, identifying assets, collecting attributes, creating the taxonomy, managing the data and implementing asset lifecycle management.
Beyond initial creation, it's essential to maintain and use the asset inventory and taxonomy to protect the most vital assets, the agencies say in the guide. This includes integrating them into the organization's cybersecurity and risk management, maintenance, and reliability and performance monitoring. Organizations could also use the inventory and taxonomy for continuous improvement.
Before identifying assets and collecting attributes, organizations must first effectively govern asset management by defining its scope, assigning roles and responsibilities, and identifying the key stakeholders, according to the guide.
The process begins by determining which offices, such as IT, operations and security, will be responsible for creating and maintaining it and then identifying specific roles for data collection and validation.
THE LARGER TREND
Even a well-secured hospital can be compromised through oversight gaps.
Moussouris, who also serves on the National Institute of Standards and Technology's Information Security and Privacy Advisory Board and the U.S. Department of Commerce's Information Systems Technical Advisory Committee, said the lack of asset management puts healthcare cyberdefenses at a disadvantage when responding to a network breach.
Knowing what technologies healthcare organizations have and where they are deployed on their networks is "the key to survival" with cyberattacks in healthcare at an epidemic level, no matter how big or how small an organization is, she said.
ON THE RECORD
"By following the outlined process, organizations can enhance their overall security posture, improve maintenance and reliability, and ensure the safety and resilience of their OT environments," CISA said in its announcement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
