There has been a lot of discussion on IT-OT convergence, how to address vulnerability management, and threat detection, but much less discussion on practical ways of protecting control systems. Vulnerability Management is one key aspect to protecting these systems.
To effectively protect assets, the concept of "Think Global, Act Local" emerged to describe the ways to scale the vulnerability analysis, remediation design, and audit, while enabling local control over the actions taken on the control systems.
In the IT world, the mantra has been to centralize and automate as much as possible. This makes sense as driving costs down is much more important than the risk of a user's laptop rebooting at the wrong time or crashing while running a spreadsheet. In the world of OT, this is a much different risk trade-off regardless if you're a hospital, refinery, power plant or manufacturing line. The downside of negative impact of remediation action is significant.
But the solution is not to train all the OT personnel on vulnerability assessment and prioritization. The costs and feasibility of doing so while trying to drive lower operating costs is impossible. Instead, combine these locally controlled actions with a centrally scaled analysis, planning and audit group.
4-steps to enable IT-OT organizations to "Think Global, Act Local" in OT Vulnerability Management:
Conduct an OT-safe 360-degree vulnerability assessment
Gather a robust inventory using an agent-agentless architecture that gathers as much data as possible from end points and compares that to potential vulnerabilities across multiple data sources such as the National Vulnerability Database or ICS-CERT. This should not use scanning methodologies because they put sensitive OT devices at risk.
Further, it should enable complete software visibility to ensure all vulnerabilities are detected, not just those of the OS. And finally, it should provide a full 360-degree view of the asset so that the analysts can see not only the end point vulnerabilities but also the presence of potential compensating controls such as application whitelisting, firewalls, access control, backup status, and configuration settings.
Consolidate information into a central analysis database to prioritize vulnerabilities and remediation
Many operational technology tools remain stuck at the plant or individual site level. IT tools are centralized by nature. But OT tools provided by vendors or traditional OT firms are by nature local. This significantly reduces the efficiency of analysis and planning. A robust, easy-to-use centralized analysis platform allows analysts to prioritize risks not only by vulnerability but also by the criticality of the asset, presence of compensating controls, and regulatory change management challenges (e.g., validated systems in a pharmaceuticals manufacturing facility).
Centrally develop playbooks for distribution to local facilities.
Sites often have very similar vulnerabilities and required remediation actions. The playbooks to remediate can and should be completed by a scaled, skilled team of practitioners. This requires the tool kit enables central development of playbooks that are distributed to local sites, rather than centrally run playbooks which violates the "act local" component. Too many tools only tell you that a vulnerability exists. Ever seen the Reputation.com commercial where the dentist informs you of a cavity, but you need to go elsewhere to fix it? Your assessment tool should enable you to build actionable playbooks to remediate.
Locally control action.
The final step is critical to safely "close the loop" of vulnerability management. In IT, you patch or change configurations centrally, but in OT, it needs to be done locally. The architecture must allow for playbooks to be distributed to automate the actions. Those actions should be controlled by plant personnel to ensure that patches are deployed only when tested and approved, or changes only made during an outage.
To succeed in managing OT vulnerabilities, organizations need to gain efficiencies offered by "Thinking Globally" and ensure the safety of critical systems by "Acting Locally". The tools architecture you choose should enable this duality to ensure efficiency as well as safe operations.