This is the 5th and final instalment in our series on Vulnerability Management (VM) in OT. If you have been following along we have so far discussed:
- An overview of what a VM program looks like (from planning to protection)
- The value of a real-time, automated OT inventory in designing and supporting an OT VM program
- The relative merits of Scan vs Agent based tools in cataloging and reporting on asset specific risks.
- Patching or Remediation of Risks as defined by an OT environment and its unique challenges
Today we are going to round out the cycle of a Vulnerability Management *Program* by examining the 'monitoring' phase. This one is especially difficult in OT for a number of reasons.
Monitoring can mean a number of things from monitoring the web for new threats to monitoring your assets for changes or monitoring for reporting on and demonstrating current risk rankings or even compliance with expected or tolerated risk levels. For the sake of this blog I will focus on aspects of monitoring as they practically apply to an OT environment and some of the challenges with current method and tool sets relative to our agent based approach. My intent is to show how an OT specific tool built by OT for OT can make significant improvements over current, poorly adapted IT tools.
Let's start simply. There are no shortage of threat intelligence feeds, risk registers and truly professional and capable threat hunters that can tell you all the things you need to worry about. The challenge for OT in using this data to improve insight is in taking the threat details and applying them to your specific assets. This is a challenge on two fronts. First, how many of that specific asset (by OS, software, running service, etc) do you have, where are they and are they important?
Remember in OT not all assets are created equally. A significant risk on a critical asset is a big deal. On the other hand, a network based attack vector for assets in layer 2 of your architecture might be able to be delayed or deferred.
The second challenge is in monitoring assets for expected changes - what if the changes are only local to that asset and not 'communicated'? What if that asset is not 'monitored' - remember passive detection tools need to hear/listen specifics from the asset. If it is not transmitting what you need to hear or you are not able to hear it - you will miss it. Real time reporting on specific parameters allows for near instant visibility, full asset coverage (by asset type, location) and comprehensive monitoring (all aspects of the asset, not just that which gets transmitted)
If you recall from our scan vs agent based discussion there were a number of challenges with scanning - including the detail you could scan for, the assets in scope for scanning and the timing or frequency of scanning. All of these restrictions result in a subset of asset data and risk profiles that age immediately at the conclusion of a scan. The alternative, of course, is to use an agent based approach which can provide significantly greater asset detail and be tuned to refresh as frequently as every 10 minutes. So when you are trying to stand up a reporting/monitoring aspect to your risk management it is clear that a real time, comprehensive asset profile relative to known risks would be significantly more accurate, relevant and useful. Taken a step further, as you 'tune' those assets to reduce/remove unnecessary ports/services/software the 'closed loop' nature of an agent based approach means that as you remediate risks (either through patching or applying compensating controls) your real time risk profile per asset updates accordingly.
It is clear that scan based or passive listening tools provide significant insight and intelligence into pure cyber risk. It is equally clear, however, that when stacked up in an OT environment and real world challenges that the value of those tools wane. By using an agent based approach which provides detailed asset characteristics in real time you significantly change your VM capabilities. Closed loop insight, granular visibility and control and real time, actual asset status are just the start. Because an agent based approach also allows you to tune those assets. From identification to remediation to reporting. There is a better solution for VM in OT. I would be more than happy to share more if you are interested. Talk to you soon!