The Dreaded Systems Inventory
What is a complete systems inventory, and why is it such a big deal for security?
Every security standard we have, from ISA to ISACA to ISO to NIST lists as one of the first security maturity requirements, the dreaded systems inventory. Yet almost nobody does it right. Why? Because it takes effort, and that means it costs money. But in order for a risk management program to slot those costs into the risk matrix in terms of risk/benefit, we need to understand what it is and figure out how much it will cost, then decide what, if anything, we should do to address it.
The systems inventory is a list of all the physical and electronic systems in a security scope. All of them. Physical and electronic. Typically, there are two lists, one for physical and one for electronic, split across departments, but together they make up the entire systems list for security. It may include some third party items that are in scope, but not within our control, like facility locks.
Yes, the Namebrand combination lock on the janitor closet is included in that list. Yes, the kiosk at the customer service desk is included. Yes, the air conditioning system we don't realize is connected to the network backbone is included. Yes, the smart televisions in the customer service centers are included. Everything. Which is why it's difficult and expensive to do well. Door locks vary from facility to facility, but it matters if we have a risk model that tells us it matters.
The electronic bits that are interconnected are the easiest, because we can run scans to identify everything and even query it for information. The bits that aren't interconnected are more difficult and may require manual sampling. Build a risk model that includes those areas, note the difficult bits, and determine if they are important enough to justify individual attention. Most physical security areas can stop at the definition of "lock layer" and not bother with identifying each lock as a Manufacturer. The risk model might tell us we need a 5 pin hardened lock, because the time needed at that layer is greater than a common lock can provide. Security is a function of time (h/t Winn Schwartau). The risk model tells us what we need to do.
The big benefit of having a complete list is that when CISA or someone releases a notification about a particularly nasty vulnerability, as they did recently with a vendor's HVAC controller, we can instantly know if we need to address it, and speed is everything when it comes to vulnerability disclosures. Not being able to quickly look up our exposure is bad. Not being aware at all of our exposure is, perhaps, best described as negligence. Especially in a regulated segment with defined security requirements that include risk management.
It's worth spending a couple hours figuring out if a more complete security systems list is justified. Examine the risks involved and identify where more effort is cost effective or document why not. If risk is balanced against expense, the business gets the best results.
The alternative is uncomfortable.