Sepio | Blog

Decoding the “Ownership” Anomaly in Asset Risk Management: When the Asset Interface Dictates Security Product.

Asset Risk Management "ownership" anomaly

Introduction

Let’s consider a simple scenario – you have Lexmark printers connected across several locations in your organization through different interfaces. A simple question arises – who determine the risk level for that asset across the organization while its connected using different interfaces.

“Ownership” anomaly #1

Some printers are connected in your OT environment where they are managed by cybersecurity solution A, while others are connected in your IT administrative environment where they are managed by cybersecurity solution B.

Why is that? Why should their risk managed differently? – because the overall approach for years has been to differentiate between the business-critical OT environment (and fortify it) and that of the “standard” IT back-office environment. Significant investments were made to airgap the OT environment, making sure that no one on the outside can disrupt business continuity.

Business risk management wise, I would argue the following – if you are a  in the energy (petrochemicals) sector and your IT infrastructure, responsible for shipments, procurement and logistics is under attack, disabling your ability to ship your gasoline and fulfil your organization’s business mission, then your overall business continuity is disrupted, and the fact that your OT environment is still operational does not actually allow your company to meet its business goals. On a separate occasion, an external subcontractor comes in to debug or upgrade some PLCs/RTUs/HMIs using their external laptop, which is usually connected to the subcontractor’s  IT infrastructure, it’s risk is not managed by the OT  cybersecurity solution, although it has significant impact on the overall risk level.

So having a unified view of all your assets with their respective Asset Risk Factor (ARF) is crucial in generating complete situational awareness to all your risks – without the abstract distinction of IT/OT/IoT.

“Ownership” anomaly #2

An even more strange “ownership” anomaly lies in the fact that the interface in which the Lexmark is connected determines its asset risk management owner.

The same Lexmark printer may be connected to the Internet using different interfaces as it supports – USB, wired Ethernet and WiFi connection. Who then owns it’s asset risk?

If it’s connected over USB, then it is managed by the device control within the XDR.

If it’s connected over wired Ethernet, then it’s up to your NAC/ZTNA/other network security solution.

Lastly, if it’s connected over WiFi, then there’s a third Wireless monitoring solution responsible for it.

You can easily spot the issue here – three different solutions, each with its own, different, risk management scaling scheme, for the exact same asset, operating in silos (assuming the organization has all these solutions in place) is a sure recipe for disaster.

Conclusion

An asset is an asset with certain elements of inherent risk, the fact that it is located within a certain part of the organization or the fact that it is connected through a specific interface, should not change the way we manage this risk.  Converging IT/OT/IoT in your organization and being indifferent to the interface type used by the asset is a key component in better managing the risks related to a certain asset, so that when a new vulnerability is found, getting a quick answer for the questions – Do we have this type of asset? Which interface this vulnerability applies to, would be just a couple of clicks away…

Sepio’s approach

Sepio serves security teams who need to manage risk of their continuously expanding, uncontrolled ecosystem of connected assets and IT departments who do not want to be burdened with complications, noise, or costs.
With Sepio, assets connected by anyone, anywhere, with any usage – or none at all – will have no effect on security and IT teams’ processes and resources.

Sepio leverages the physical layer to provide a new dimension of complete asset visibility with a built-in Asset Risk Factor score. Unleashing the power of the entire asset security ecosystem, we provide actionable visibility and infinite scalability that is critical to asset risk management.
We provide measurable advantages for any IT department seeking to converge their IT/OT/IoT security scheme, reduce hardware clutter, optimize efficiency, and remove redundancy, headache and costs.

July 9th, 2023
Bentsi Ben Atar

Bentsi Ben Atar
CMO, Co-founder

Related Posts

  •
    Passive Network Tapping is Making a Comeback!

    For the past few decades, every CISO and cybersecurity leader knows that encryption provides the fundamental defense layer to data and network traffic. The notion of network encryption (also known as ‘data encryption in transit’) is considered an integral part of the organization ‘security hygiene’. The most popular cybersecurity series of conferences worldwide, the RSA, is named after the RSA public-key encryption technology developed back in 1982. The most popular network encryption – AES – has become a must-have standard for every type of organization. Indeed, as the bulk of the organization’s network traffic is now encrypted by either AES or RSA encryptions, the common attack vector of network tapping has vanished and no longer requires mitigation planning and compensation controls by security leaders.

  •
    They’re Back: How Recent Incidents Validate the Ongoing Rogue Device Threat to Cyber Resilience

    In today’s ever-evolving corporate landscape, interconnectedness reigns supreme. The integration of IT, OT, and IoT domains has transformed traditional tools like laptops and smartphones into indispensable assets, while OT devices have become critical components of corporate networks. Simultaneously, the rise of IoT devices has fueled automation and efficiency, revolutionizing modern workplaces.