We have written quite a bit lately about IT-OT convergence and how to address vulnerability management. There has been a lot of writing and discussion over the past several years on detection of threats, but much less on practical ways of protecting control systems. Vulnerability Management is one key aspect to protecting these systems.
To do so effectively, our strong belief is that organizations need to "Think Global, Act Local". By this we mean that you need to find ways to scale the vulnerability analysis, remediation design, and audit, but enable local control over the actions taken on the control systems. In the IT world, the mantra has been to centralize and automate as much as possible. This makes sense as driving costs down is much more important than the risk of a user's laptop rebooting at the wrong time or crashing while running a spreadsheet. In the world of OT, this is a much different risk trade-off whether that be in a hospital, refinery, power plant or manufacturing line. The downside of negative impact of remediation action is significant.
However, the answer is not to train all the OT personnel on vulnerability assessment and prioritization. The costs and feasibility of doing so while trying to drive lower operating costs is impossible. The answer must be to combine these locally controlled actions with a centrally scaled analysis, planning and audit group.
We have developed a proven, 4-step architecture to enable IT-OT organizations to "Think Global, Act Local" when it comes to OT Vulnerability Management.
- Conduct OT-Safe 360-Degree Vulnerability Assessment. The first step is to gather a robust inventory using an agent-agentless architecture that gathers as much data as possible from end points and compares that to potential vulnerabilities across multiple data sources such as the National Vulnerability Database, ICS-CERT, etc. Importantly, this should not use scanning methodologies which can put sensitive OT devices at risk. Further, it should enable complete software visibility to ensure all vulnerabilities are detected, not just those of the OS. And finally, it should provide a full "360-degree" view of the asset so that the analysts can see not only the end point vulnerabilities but also the presence of potential compensating controls such as application whitelisting, firewalls, access control, backup status, and configuration settings.
- Consolidate that information into a central analysis database to prioritize vulnerabilities and remediation. Many OT tools remain stuck at the plant or individual site level. IT tools are by-nature centralized. But OT tools provided by vendors or traditional OT firms are by nature local. This significantly reduces the efficiency of analysis and planning. A robust, easy-to-use centralized analysis platform allows analysts to prioritize risks not only by vulnerability but also by the criticality of the asset, presence of compensating controls, and regulatory change management challenges (e.g., validated systems in a pharma facility).
- Centrally develop playbooks for distribution to local facilities. Sites often have very similar vulnerabilities and required remediation actions. The playbooks to remediate can and should be completed by a scaled, skilled team of practitioners. This requires that the tool kit enables central development of playbooks that can be distributed to local sites - rather than centrally run playbooks which would violoate the "act local" component. Too many tools only tell you that a vulnerability exists. It is like the ad for Reputation.com where the dentist just tells you that you have a cavity and you need someone else to actually fix it. We strongly believe the assessment tool should enable you to build actionable playbooks to remediate.
- Locally control action. This final step is critical to "close the loop" of vulnerability management - safely. In IT, you can patch or change configurations, GPO's, etc centrally. But in OT that needs to be done locally. The architecture must allow for playbooks to be distributed to automate the actions - but those actions should be able to be controlled by plant personnel to ensure that patches are deployed only when tested and approved, or changes only made during an outage, etc.
To succeed in managing OT vulnerabilities organizations will need to both gain efficiencies offered by "Thinking Globally" but also ensure the safety of critical systems by "Acting Locally". The tools architecture you choose should enable this duality to ensure efficiency as well as safe operations.
Please read more about Verve's Closed-loop Vulnerability Management. Verve's Closed-Loop Vulnerability Management