In our last blog post we examined the value of a comprehensive inventory – which is a fundamental requirement to even start a vulnerability management (VM) program - and compared the current affinity for passive listening tools for inventory. It was pretty clear that a passive tool is a decent first pass at what is online but is not really a ‘proper inventory’ nor does it really get at the risks inherent on the end points. But passive tools are not really intended as VM tools so lets look at what is likely the most popular option – scan based VM tools.
There are many options for scan based VM products on the market. For reference, they usually require that the latest and greatest threat intelligence and markers are loaded into the application. The application then targets and end devices (or devices) and scans the device. Now there is a great deal of control and settings you can adjust to increase or decrease the force and functions of the scan. This is a good thing because in OT you can’t hit thousands of ports with all manner of requests and expect the OT world to stay upright.
So what usually happens is that in the OT space we ‘dial down’ the scans to be much less volume, to be much more gentle and we usually conduct them only on redundant systems, only on more ‘robust’ (read: modern, OS based, non-critical engineering stations or supporting systems like file servers or historians, for example) systems. And many clients opt to do these scans only during outage/turnaround opportunities to further reduce the risk a scan based approach introduces. These are all very established ‘OT safe’ practices for bringing IT tools into the OT world (IT/OT Convergence right?)
The challenge, as is often the case, is that the end result is not as effective as we might like it to be. Specifically, under this scenario your OT VM program suffers from:
- Limited scan – by dialing down the ‘interrogation’ you don’t necessarily know as much about the device as you need to
- Limited systems – by only targeting ‘robust’ systems you don’t often (or ever) scan more fragile (and sometimes more critical) control systems
- Ages instantly – as soon as you are done the scan, the data starts to age. And if you are only performing scans with manual oversight or only during outage your gap between scans could be quite significant
So what is a practical alternative? Agent based, real time OT systems management or OTSM. By putting an agent on OS based devices while simultaneously profiling network/communications gear and embedded control equipment you start with a robust and complete inventory. Then you add the National Vulnerability Database to your inventory and reveal the cross section between what you have and what is a known risk. The differences are significant. To recap:
- Limited scan? No longer – you can know everything about the end point thereby allowing you to profile any and everything you might need or want to know about the asset
- Limited Systems? Nope – 100%, real time coverage of all assets means your VM view is complete across your entire OT environment
- Ages Instantly? – Not at all – since the inventory updates in near real time your ability to query your asset base (normal NVD update or manual polling for emerging/evolving risk) is instantaneous and your data is new, relevant and fresh
So it is clear, to me at least, that if we embrace established ‘IT tools’ in the OT space we can make a step change in our coverage and ability to respond/protect. IT and OT convergence providing real time, comprehensive coverage with instant VM status. And we haven’t even discussed mitigation yet! That will be our next blog so stay tuned!