Technology Categorization, The Key to Asset Management

Cost-effective Operational Reliable Efficient, C.O.R.E. Technology Security Series

Cost-effective Operational Reliable Efficient CORE Technology Security involves only what is required to manage technology risks specific to each organization, no more and no less. By emphasizing CORE, declare the objectives and build to those objectives. Regarding security, CORE enables organizations to have 100% accurate asset inventories, proactively manage vulnerabilities, detect threats to each technology, respond to exploits (accidental or otherwise), and maintain business operations while recovery activities are underway. CORE Technology Security starts by categorizing 100% of the organization's technologies.

Word to the wise: Organizations should emphasize efforts to complete CORE Technology Inventories over all other new security spending. Spend all capital security budgets on inventorying and solutions, where budgets are limited until inventories are complete, easy to manage, and sustainable.

Technology Categorization

Categorize technologies that you manage to assign a value to them that is meaningful to the organization. This value will incorporate something unique to the technology itself, the process(es) it supports, and the organization for it to have a bearing on the scope and scale of security applied. Please start with the details about the organization, then capture the technologies, and wrap it up by tying technologies to each method technology's mission or business purpose.

CORE Organization Characteristics

Identify the organization’s critical infrastructure sector and subsector, geographical region, grouping, and location to manage technology risks. This information is CORE to what the organization does, where it operates, and applicable regulations. Collect this information to ensure technology risks are managed appropriately.

1. Critical infrastructure sector

2. Geographical region

3. Location

Each CORE organization characteristic identifies outside factors that influence risk management decisions. Competent threat actors focus on industries, regions, and locations where organizations operate in targeted attacks. Additionally, regulators are location-based and industry-based. In this manner, regulation and threats can be correlated within technology inventories to identify risks quickly and accurately.

Examples of CORE organization characteristics for the industry sector, region, and location will be described later in this series.

CORE Technology Characteristics

Identify the hardware, software, and connectivity to characterize technologies adequately. Focus on technology characteristics that most commonly have vulnerabilities and have the possibility of exploitation. With this information, organizations can avoid security waste by overspending on unnecessary safeguards that do not apply to the technologies in the inventories.

1. Identification

2. Hardware

3. Operating System

4. Connectivity

Each CORE technology characteristic is vulnerable to exploitation and may be tied to existing and future Common Vulnerabilities and Exposures (CVE). Virtualization, where used, can exist on-premises or in the Cloud. With off-the-shelf technologies, only the manufacturer and model must identify vulnerabilities. Subsequently, each CORE technology characteristic can be secured in specific ways to protect them from exploitation.

CORE technology characteristics' CVEs and protection methods are applied to hardware, software, and connectivity, which will be described later in this series.

CORE Process Characteristics

Identify process criticality, confidentiality, and capability to evaluate technologies adequately. These CORE 3Cs simplify the traditional cybersecurity triad, confidentiality, integrity, and availability (CIA) by combining integrity and availability into "Criticality" while adding additional overlooked "Capability" criteria (i.e., whether technologies can control the physical world). Focus on the types of data or actions for which the organization utilizes each technology.

Collect this information to ensure the appropriate valuation methodology is applied.

1. Criticality

2. Confidentiality

3. Capability

Each CORE process characteristic identifies a value that the organization applies to its technologies. Additionally, each CORE process characteristic can be used to prioritize assets in the inventory against one another.

Enabling Technology Categorization

CORE Organization, Process, and Technology Characteristics enable the CORE Technology Security program by including the fundamental information necessary to understand vulnerabilities, value, and risks, all within the inventory. A strategy is required to prepare and collect this fundamental information and clearly defined processes to ensure consistency and the usability effects desired to manage security within the organization. Apply the following organizations to ensure successful technology categorization.

Organizational Data Collection

Whether for-profit, not-for-profit, or government, every organization uses technologies to support its enterprise mission. These organizations are regulated and threatened differently, depending on how they have operated in the past, and continue to work according to future outlooks. Because of this, we have to characterize each organization uniquely.

Organizational Strategies Involve Executive Vision

Cybersecurity & Infrastructure Security Agency (CISA) is a well-funded US-based government organization with cybersecurity experts and has developed Sector-Specific Plans for each Critical Infrastructure Segment. Department of Homeland Security (DHS) indicates enforcing these plans in the future as cybersecurity regulation strengthens in the United States. Additionally, retaliation against employees who raise concerns about their organizations' lack of participation is protected by the Occupational Safety and Health Administration through the Whistleblower Protections.

Each technology-responsible team should go to the CISA Critical Infrastructure Sectors website and identify the industry sector or sectors that the company operates in according to the steps below.

1. Identify the primary critical infrastructure sector where the organization operates, sells, distributes, or supports, as in the examples below.

   1. Chemical

   2. Commercial Facilities

   3. Communications

   4. Critical Manufacturing

   5. Dams

   6. Defense Industrial Base

   7. Emergency Services

   8. Energy

   9. Financial Services

   10. Food and Agriculture

   11. Governance Facilities

   12. Healthcare and Public Health

   13. Information Technology

   14. Nuclear Reactors, Materials, and Waste

   15. Transportation Systems

   16. Water and Waste Water

2. Using the same list, identify other potential critical infrastructure sectors to be reviewed against technologies later.

Some organizations will find identifying the sector more difficult than others. For example, the Maritime industry enables many other sectors, is responsible for billions of dollars of annual revenues, and includes a global merchant fleet of over 100,000 vessels transporting everything from medical supplies to fossil fuels. However, there is no Maritime critical infrastructure sector. In this case, by examining each sector, one can find that Maritime is part of the Transportation Systems Sector.

For organizations that operate in multiple sectors, record each sector that the organization operates in, sells to, distributes to, or supports to be later tied to the technologies in the inventory. The reality of which sectors are essential to the organization will be apparent by correlating industry sectors with the technologies in the inventory. For CORE Technology Inventory purposes, focus on one primary sector per technology.

Geographical Regions Provide Jurisdiction

Organizations operate, sell to, distribute to, or support industries in one or multiple geographical regions. Executives in each organization will be aware of where they are regulated, taxed, and tariffed because these are key to ensuring a balanced financial structure. Including region listings in inventories becomes increasingly necessary when identifying regulations around data storage, processing, and transmission and focuses detection activities around region-specific threats based on targeting statistics, which may also be tied to jurisdiction over criminal investigations.

Each technology-responsible team should go to the DHS Geographic Regions website to determine which geographical regions apply by following the steps below.

1. Identify the primary region where the organization is headquartered, as in the examples below.

   1. Africa

   2. Asia

   3. Caribbean

   4. Central America

   5. Europe

   6. North America

   7. Oceania

   8. South America

2. Using the same list, identify other regions where the organization operates, sells, distributes, or supports using technologies.

Regions are relatively easy to identify based on office and target market locations. Record each region the organization operates in, sells to, distributes to, or supports to be later tied to the technologies in the CORE Technology Inventory. The reality of which regions to correlate to technologies will become apparent during the inventory exercise. To avoid later difficulties, allow multiple regions to be entered per technology.

Locate All Technologies in the Organization

Every organization is responsible for ensuring that technologies used by employees, customers, or third parties to conduct its business operations are accounted for. Every organization should have 100% complete inventories, including infrastructure, software, and platforms provisioned in the Cloud. Subsequently, the best way to ensure full control over the hardware is to include the location down to the room where it is installed.

Each technology-responsible team should locate every hardware device in its inventories by following the steps below.

1. Identify which technologies exist in the Cloud and record the following information.

   1. Cloud provider

2. Physically locate all hardware the company has installed on its premises or leased spaces and collect the following information.

   1. Country

   2. Province or State

   3. City or Township

   4. Building

   5. Room

   6. Cabinet

Location is critical to maintaining control over an organization's technologies, yet it is often not given the resourcing and budget it deserves. In addition to security, having accurate inventories enables all technology-related business processes, including but not limited to hardware replacement, upgrades, management of change, audits, access restrictions, power consumption, use studies, etc.

Summarizing Organizational Characteristics

When updating inventories, collect the information required for the CORE technology characterization or be doomed to repeat the inventory more than once. The good news is, in addition to manual means, many software products today automate inventory collection and storage, making the maintenance of inventories much more efficient. The first, complete inventory will be primarily manual; however, once the inventory is accurate, determine if an automated solution is right for you by evaluating the automated solution's capabilities to detect devices in the organization's environment and allow users to quickly and easily search out assets based on the CORE technology characteristics identified in this write-up.

Technology-Specific Data Collection

According to all security standards, regulations, and laws, organizations are responsible for uniquely identifying each technology asset, describing those assets, and inventorying CORE technology characteristics of its assets. Most of the technology-specific data can be captured by automated means by either running scripts or utilizing an automated inventory solution. To enable this portion of the data collection, start by adequately identifying each device.

Start By Identifying All Technology Assets

Technologies, servers, workstations, networking devices, etc., all have an individual place in the networks, each representing a platform for manageable performance, maintenance, and security. Each technology in the CORE Technology Inventory should be uniquely identified as a technology "asset" representing a resource with value to the organization.

Each technology-responsible team should develop a standard for naming assets. It is critical to name assets meaningfully to expedite inventory reviews and make sense of them during maintenance, compliance, assessments, and audits. The Asset ID may combine the following elements: Location, Group, Hardware type, and Service Type.

A hypothetical example:

• KCMO_DCS_SVR_HMI_001 (LOCA_GRP_HWT_SVT_NUM)

  • Location: Kansas City, Missouri – KCMO

  • Group: Distributed Control System (DCS)

  • Hardware Type: Server (SVR)

  • Service Type: Human Machine Interface (HMI)

  • Number: 001

The asset IDs might not match your assets' fully qualified domain name or the name applied in the firmware or operating system. Include the separate hostname in the CORE Technology Inventory.

Be warned: Also, some organizations find secure ways to name assets by obfuscating the critical information in the name. By obscuring the technologies in inventories, organizations will realize marginal security value while adding a great deal of administrative burden during activities like maintenance, compliance, assessments, and audits, which might not be worth the effort or the cost. Safeguard the inventories by encrypting them. Please do not waste time, effort, and money making them unusable by attempting to obfuscate the entries.

Each technology-responsible team should capture CORE identification information in inventories by following the steps below.

1. Determine the hardware type first, as in the examples below

   1. Server, Workstation, Laptop, Mobile, Firewall, Router, Switch, Gateway, Programmable Logic Controller (PLC), Remote Terminal Unit (RTU), etc.

   2. Each organization should develop a list of CORE hardware types to account for all items in inventories.

2. Next, identify the service type as in the examples below

   1. Database, web, email, Proxy, Active Directory, name server, dynamic host control protocol (DHCP), file server, hypervisor, Human Machine Interface (HMI), Engineering Workstation (EWS), Safety Instrumented System (SIS)

   2. Do not mix up or combine hardware types and service types.

   3. As in the examples above, a hardware type would be a server, while the service type could be EWS.

3. Apply a grouping methodology.

   1. The groups will become evident once the inventory is complete.

   2. Filter through the inventoried items and look for similarities in functionality, location, applications or software, or support teams and decide which grouping method works best for the technologies in each organization.

   3. A Distributed Control System (DCS) is an excellent example of a grouping because it comprises multiple hardware and service types and is generally located in one location.

   4. Examples include Financial Management Systems, Enterprise Resource Planning, Business Intelligence, Security Operations Center, etc.

All assets should now have a unique identification method, simplifying maintenance, security, and technology management.

Here are some examples of the unique technology identities in the CORE Technology Inventory.

There is no difference in the CORE Technology Inventory Information Technologies (IT) versus Operational Technologies (OT) or mobile devices, as they are all essential to the organization, have vulnerabilities, and are subject to regulation and threats. Those responsible for managing these technologies will need to be able to search for them in their inventories in the same, meaningful way.

Hardware is Made up of Devices with CORE Computing Components

The ability to compute ties these technologies together both characteristically and literally. Each of these computer technologies is made up of standard components, regardless of brand, manufacturer, or purpose. These components are also useless without a program or software component. Programs are in drivers, firmware, or operating systems, vulnerable to malfunction or exploitation, and tracked as Common Vulnerabilities and Exploits (CVE). Once added to inventories, each vulnerable component is easier to correlate with CVEs when necessary to manage security. For these reasons, we collect this information about an organization's hardware.

Each technology-responsible team should capture CORE hardware information in inventories by following the steps below.

1. Note if the technology is virtualized or physical.

   1. Virtualized technologies may exist in public or private clouds or be installed on-premises in an organization's virtual environment.

   2. The physical server and network-attached storage devices provide the correlation necessary for vulnerability and exploit mapping later.

2. Capture the hardware manufacturer for each technology.

   1. This information can be used later to correlate a manufacturer's mitigations to CVEs when they arise.

   2. Organizations should avoid building in-house technologies, wherever possible, to prevent a lack of support.

   3. If in-house, expect to build a support and maintenance function to respond to component CVEs.

   4. Virtualized technologies should list the Asset ID for the Storage device (i.e., Network Attached Storage) where each host is installed.

   5. List the organization's Cloud tenant for technologies stored in the Cloud.

3. Capture the model for each technology.

   1. This information can be used later to correlate a manufacturer’s mitigations, per model, to CVEs when they arise.

   2. Having the model number allows all device-specific components to be correlated without physically reviewing the technology.

   3. Virtualized technologies should list the Asset ID for the Hypervisor device (i.e., ESX, Hyper-V, etc.), where each host is provisioned.

   4. List the organization’s Cloud hypervisor for technologies installed in the Cloud.

4. Capture the wireless network(s) (WIFI) internet protocol (IP) address(es) and each connected media access control (MAC) address.

   1. IP addresses help to identify technologies on the organization’s networks.

   2. MAC addresses help to identify which interfaces are tied directly to assigned IP addresses

   3. Examples of WIFI entries are entered as “MAC: IP."organization'sorganization'smanufacturer's

   4. If more than one IP address exists, capture all addresses in the same field with a delimiter (i.e., ";" or "," or "|")

5. Capture the ethernet-wired IP address(es) and the connected MAC addresses.

   1. IP addresses help to identify technologies on the organization's networks.

   2. MAC addresses help to identify which interfaces are tied directly to assigned IP addresses

   3. Examples of WIFI entries are entered as "MAC: IP."

   4. If more than one IP address exists, capture all addresses in the same field with a delimiter (i.e., ";" or "," or "|")

Software Controls the Hardware

All computing hardware requires a basic input-output system (BIOS), sometimes called firmware, to manage component addressing and drivers. On top of the firmware, computing technologies have Operating Systems (OS) and additional sandbox environments to run interconnected and interactive applications. Microsoft Windows, Mac OS, and Linux-based operating systems are the most commonly used in most organizations for business operations.

These systems interact directly with hardware and provide the sandboxes for applications software, making them the essential software to identify in the CORE Technology Inventory. It also includes non-traditional computing devices like those in the Internet of Things (IoT) or mobile IOS, Android.

Each technology-responsible team should capture CORE OS information in inventories by following the steps below.

• Capture the OS for each technology.

  • Include the highest level of the operating system or firmware installed.

  • Operating System vendors and Original Equipment Manufacturers (OEM) often change their installations' names.

    • Develop and use a standard naming system for OSs, i.e., MSWIN11 = Microsoft Windows 11 Pro, MS Windows 11 Professional, Windows 11 Executive, etc.)

Only CORE information is required for characterization; detailed software lists can be handled under vulnerability management as, for security reasons, knowing what software is used is more relevant.

Connectivity is the Quickest Way to Exploitability

Connectivity mapping simplifies vulnerability management, possibly the most challenging and often misunderstood function in security programs. In addition to streamlining vulnerability management, proactive threat management is possible by collecting only minimal, relevant information about connectivity. The Common Vulnerability Scoring System (CVSS) is the World-renowned method for measuring the criticality of software vulnerabilities. The CVSS tool uses exploitability metrics based on analyses conducted against each known vulnerability, thereby notifying the public how technologies can be compromised by each threat actor exploiting a known vulnerability. The Attack Vector Common Vulnerability Scoring System (CVSS) Exploitability Metric is the CORE way to capture exploitability to connection types in technology inventories. By knowing the attack vectors for each technology, organizations can identify which technologies are easier to access from the Internet, making it even easier to prioritize the deployments of security updates.

• List out the highest level of connectivity to each technology.

  • The types of connectivity are based on the Attack Vector Common Vulnerability Scoring System (CVSS) Exploitability Metric, including the following options listed from list exploitable to most exploitable.

    • No connection = Physical

    • Serial / non-routable only = Local

    • Routable with no Internet access (i.e., blocked at firewalls) = Adjacent Network

    • Accessible to the Internet, IoT, Cloud = Network

• Each connection type results in a higher exploitability factor; therefore, if technologies have more than one connection, enter the most exploitable option.

CVSS also includes Attack Complexity, Privileges Required, User Interaction Exploitability Metrics, and Temporal and Environmental metrics. These metrics will be used later to conduct the CORE Exploitability Assessment. Remember that they exist; however, these additional metrics are unnecessary to include in the CORE Technology Inventory for categorization purposes.

Summarizing Technology-Specific Characteristics

This CORE technology data is just the bare minimum required to manage the lifecycle of technologies and prepare for possible cyber-attacks that could occur. This is because technologies have similar essential components, i.e., central processing units (CPU), Random Access Memory (RAM), Read Only Memory (ROM), etc.; however, there are millions of different configurations. What is consistent among all technologies is that they are built using international standards for interoperability and compatibility with common protocols for power and communication. These commonalities lead to similar predisposed conditions within technologies that lead to vulnerabilities. Additionally, in most cases, different hardware vendors use the same firmware and operating systems that are most prevalent in the market, making it extremely rare to have highly customized options installed in organizations. Organizations may still want to gather more information, but before doing so, evaluate the value gained by adding additional rigor to the inventory processes overall.

Business Process Data Collection

Most information technology security personnel are familiar with using the CIA triad, Confidentiality, Integrity, and Availability of Data, to define security control objectives based on the criticality of data. CIA was a concept introduced to the global cybersecurity stage in 2000 by the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17799, the Code of Practice for Information Security Management. There are two primary shortfalls associated with this approach;

1. Physical security, operations, and health, safety, quality, and environmental (HSQE) personnel, who are now responsible for computerized technologies, are unfamiliar with data protection requirements and have difficulty tying physical security, operational, and HSQE plans to the CIA.

2. The results of CIA assessments alone do not define the preservation of the physical world, including human safety, quality, and environmental impacts.

Additionally, many government and defense processes view the integrity and availability of data as one component of the CIA that is entirely different than confidentiality. This is because confidential data includes secrets to be held private, while integrity and availability will directly impact the operational mission. Hence, integrity and availability are higher for mission-critical and tactical technologies, whereas confidentiality is more strategic and does not have to be always available. Integrity and Availability, therefore, define Criticality, while Confidentiality stands on its own.

Finally, industrial control systems (ICS) and the operational technologies (OT) that computerize them interact directly with the physical world by heating, pumping, pulling, lifting, spinning, and sensing. The CORE characterization must include a technology's Capability for interaction with the physical world, unbiased of impact, to provide a complete picture.

Enter the CORE 3 Cs, Criticality, Confidentiality, and Capability, to provide a complete view of business impacts due to technology compromises by giving a transparent idea of the scale and scope of a technology-related impact. Another bonus of using the CORE 3Cs is that the CIA rating is still achieved in the process, correlating with existing standards and organizational cybersecurity programs and goals.

Each technology-responsible team should capture CORE Process information in inventories by following the steps below.

Criticality

Critically defines the scale of a given technology impact in an organization by identifying tactical consequences to a technology (system level), a function (business process level), or the organization (enterprise level).

• Capture the Criticality of technologies in the organization based on the following criteria.

  • High integrity and high availability (HIHA) – Any loss or manipulation of the technology will immediately impact the organization.

  • High Integrity (HI) – Manipulation of the technology will immediately impact the function, not the organization.

  • High availability (HA) – Loss of the technology will immediately impact the function, not the organization.

  • Not critical (NC) – Loss or manipulation of the technology only immediately impacts the technology; functionality persists.

This criticality rating process is not new and derived as a hybrid of US Department of Defense Mission Assurance Categories (MAC) and the "Organization-Wide Risk Management Approach" in the National Institutes of Standards and Technologies (NIST) Special Publication 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations. These data and the Criticality results align with most business impact analysis processes.

Confidentiality

Confidentiality defines strategic impacts on the organization if unauthorized people exploit, breach, and compromise technologies. Keep this simple by considering personal privacy, trade secrets, intellectual property, financial futures, etc. The Confidentiality rating is directly proportional to an organization's tolerance for loss due to regulatory fines, potential legal fees, litigation costs, payouts, loss of reputation and shareholder confidence or market share, loss of contract and customer credits, etc.

• Capture confidentiality using the following criteria.

  • Restricted technologies only allow explicit user access based on the organization's need-to-know determination procedures.

  • Internal use-only technologies allow access to employees and trusted 3rd parties.

  • No restriction technologies are open to the public.

Confidentiality tolerances will need to be determined by each organization to ensure the loss is completely understood and agreed upon. Each organization may decide its tolerances based on operations revenue, etc. Do not overcomplicate the Confidentiality rating in the CORE Technology Inventory by adding more ratings. The three ratings described here can be applied to all situations and are sufficient to make CORE Technology Security decisions. For example, governmental contract organizations that store, process, or forward contract information will treat that data as Restricted, just like trade secrets when applying security safeguards.

Capability

Technologies that can manipulate or interact with the physical world might cause health, safety, environmental, quality, or operational impacts with dire consequences such as loss of human life or damage to equipment if compromised. These technologies are often referred to as Operational Technologies (OT) to distinguish them from Information Technologies (IT), which function to manage data instead. For years, organizations have struggled with which data to capture in inventories to identify OT versus IT rapidly and how much OT can be compromised to cause physical impacts. The results typically include having separate lists for IT versus OT.

Capability is a CORE technology characteristic that simplifies the CORE Technology Security by quickly distinguishing technologies' capabilities without separating OT from IT inventories. This is so simple. For example, if a technology in the inventory is identified as a Control device, organizations instantly know to treat it differently than one with no capabilities. This CORE practice results in complete management of the IT-OT convergence in an organization.

• Capture Capability using the following criteria.

  • Control technologies manipulate the physical world (i.e., motor controllers or Programmable Logic Controllers (PLC) connected to pump motors)

  • Monitor technologies sense the physical world (i.e., PLCs used for speed or pressure sensors or IoT sensors)

  • Data technologies have no capabilities to interact with the physical world.

Organizations with process safety teams are often familiar with process hazard analysis (PHA) exercises, which identify vital automated and manual safeguards to mitigate safety risks. These PHAs can be a wealth of knowledge to correlate with CORE Technology Inventories to complete Capability entries. Additionally, do not forget to include building controls like automated door and elevator controllers in this inventory.

Technology Categorization Example

The result of categorization is a CORE Technology Inventory listing organizational, technological, and process-related information for each device. This example includes a fictional control system network in the Energy sector with descriptions of each element in the inventory. The example system is below.

Technology-responsible personnel have followed the CORE processes explained in this document and collected the following information.

1. The fictional organization exists in the Energy critical infrastructure sector and North America.

2. Four locations exist the Control Room, Plant, Field, and OT Cloud.

3. Solid lines in the example identify routable networks, of which there are CRM_NET, PLT_NET, CLD_NET, IOT_NET, and FLD_NET.

Asset Identification in the Example

Each technology was numbered for clarification and identified, as shown below.

Notice that most technologies exist on the organization's premises except for the "OCL_ISS_SVR_SAS_001" Device. This server exists in the Cloud to support the "PLA_PCR_ISN_SPD_001" IIoT speed sensor. Additionally, "PLA_PCR_ISN_SPD_001" is a firewall provided by the IIoT Speed Sense solution, rounding up the grouping for IIoT devices. This provides a use case for the grouping attribute.

Examples of Technology Characteristics

This table includes examples of the CORE Technology Characteristics in the sample.

All of the CORE Technology Inventory attributes should be intuitive and have meaning to technology-responsible personnel. In this example, there are no wireless networks. However, there are routable Ethernet networks. Pay close attention to how the networks are added. For example, "CRM_SCA_NET_FWL_001" and "PLA_PCR_NET_RTR_001" are connected to three different networks (CRM_NET, PLT_NET, and IOT_NET), each of which is described in the Wired field. Finally, the non-routable networks are not listed.

Examples of Process Characteristics

What remains to be entered in this section includes Criticality, Confidentiality, and Capability. After following this process, notice how these answers are straightforward.

Connectivity was shown in this example to highlight how it was used to distinguish Internet-connected ("Network") versus internal networking on the IIoT devices and the firewall in the Control room. All technologies that can logically route or connect the IIoT network are listed as Network; however, the Plant router is listed as Adjacent because it is virtually routing.

Criticality is rated per each technology and not determined based on the connections. For example, the Control Room network switch is "High Availability” to ensure the connection to the VFD is up, but only the VFD is both "Hi Availability" and "Hi Integrity."

Confidentiality is not typically as important in control networks as in Criticality or Capability. Still note that all technologies, except the engineering workstation, are considered "Internal use-only" by this organization. This does seem appropriate to ensure control network information is not shared with or accessible to the public. The engineering workstation, "PLA_PCR_LAP_EWS_001", has been listed as "Restricted" because it can change the control system, PLC, and VFD programs.

Finally, Capability is easy to determine by looking at the types of devices and their use cases. In this hypothetical example, five technologies can control the physical world: 1. SCADA Server, 2. HMI, 3. Control Server, 4. Variable Frequency Drive, and 5. PLC. By capturing the Capability, organizations can now easily determine how to categorize OT!

Summary

This write-up included the first step to managing technology risks in an organization. With the CORE information captured during the categorization process, vulnerabilities and threats can now be easily tied back to inventories. The output of CORE Categorization is an inventory that only has the necessary information to get the job done.