What is vulnerability management?
Vulnerability management in OT/ICS security is the process of identifying, evaluating, treating and monitoring/reporting on software insecurities and misconfigurations of endpoints. If security vulnerabilities are left untreated, they leave an open opportunity for cyber attackers to take advantage.
A full OT vulnerability management program includes:
- Assessing assets for known vulnerabilities
- Prioritizing vulnerabilities based on risk and impact
- Remediating vulnerabilities through software patches, managing configurations or deploying various compensating controls
Vulnerability management is often a complex, manual effort requiring hand-offs and the involvement of many systems. Most devices found in OT/ICS networks are sensitive, so traditional IT vulnerability scanner solutions are not tenable.
There are multiple stages of a vulnerability management framework, some of which are preliminary and some of which recur regularly.
The first stage, Prepare, includes establishing roles and responsibilities and defining corporate policies and procedures for executing a robust vulnerability management program.
There are two significant components of this stage that have the potential to strongly impact an OT environment:
- Define program scope and identify target assets
- Deploy/configure vulnerability scanning solutions
Defining vulnerability management program scope and identifying target assets really speaks to asset inventory. This is something most OT environments struggle to do well.
Asset inventory's role in vulnerability management
A powerful asset inventory management solution is crucial for a successful vulnerability management program and is even more valuable with contextual data. The more you know about each asset, the stronger your analysis, remediation, exceptions and management decisions.
What data types are useful in a vulnerability management program?
Let’s run through a scenario taking a raw vulnerability risk score and applying practical analysis to it in the context of an OT environment:
A vulnerability is identified, and we know its attack vector, severity, complexity to execute and which systems are affected. How do we decide to proceed?
- Is the system at risk critical to operations? (requires system analysis and ranking often called Meta Data or tribal knowledge)
- Is the system hardened? (requires detailed knowledge of the asset characteristics) Is remote access enabled only for administrative accounts?
- Is the system likely to be compromised based on contextual data relative to the attack vector?
- Is this asset in layer one or two, and is it an adjacent network or network attack vector? How about a layer 3.5 asset?
- What if we have a current backup plan, and whitelisting is in enforcement mode?
These types of data sources and the insight they provide are a significant benefit to the analysis and eventual action plan an OT environment requires. But this level of detailed asset information is extremely rare to find because the biggest challenge for any OT security environment is aggregating this information.
Most operating companies have very little asset inventory data. In most cases, asset data is limited to aging spreadsheets or incomplete data from a mix of sources, providing intermittent or spotty coverage.
Many industrial companies turned to passive or network-based listening tools as a first step in compiling an asset inventory. Passive tools are valuable to an extent. Passive anomaly tools do not provide the data needed to build a robust vulnerability management program.
3 ways passive anomaly detection tools fall short in asset inventory:
- Incomplete coverage: A passive listening tool only picks up assets it can "hear", meaning if you don’t have your asset communicating through a specific "listener", its presence will not be detected, thus not included in your asset inventory. Serially connected relays, for example, are highly unlikely to be included in your list of assets. It also means putting "listeners" into all subnets, requiring exponential resources.
- Inaccurate data and characteristics: Passive anomaly listening provides content on what is transmitted. If the endpoints are not tuned to send data, it won’t be captured. This includes firmware, serial numbers, software versions, user accounts, ports and services that are listening. They do pick up a lot of traffic, but not everything. In the end, that is not really the use case they were initially designed for.
- Inability to tune: It is valuable to identify whether systems are working or gather feedback that something is at risk. But it's not enough to simply identify the vulnerability if you cannot manage it. An alert is just that – a warning. Taking action to remediate is impossible with passive anomaly detection tools.
Vulnerability management tools for OT or ICS security
The alternative to passive detection tools is OT-based, real-time inventory tools. They are proven to be safe in OT environments, designed for the unique needs of an operating environment, and are intended to help manage OT endpoints.
Connecting to all asset classes (OS based, Networking and Embedded) provides access to rich data, detailed insights and 100% asset coverage. We openly advocate a combination of agents (on OS-based devices) and OT-safe profiling tools (CIP protocol, SNMP, SSH, etc.) to centrally compile a robust asset inventory.
The user adds knowledge of the asset, such as its criticality to the operation, its physical and logical location, and its owner. It is integrated with your third-party security tools, such as your antivirus, backup, whitelisting and change management databases to build a 360-degree view of your assets. This complete asset view provides the insight and data needed to make informed decisions like in the scenario outlined above.
Bonus! With the presence of an agent on a machine, OT-safe, measured and monitored changes are easily automated on the targeted assets. This significantly reduces costs associated with labor and hardware.
Software-based agent tools are often compared to passive detection tools on the topic of asset inventory. When identifying what a robust OT inventory requires to manage your cyber risk and OT assets, it becomes clear there is a strong need for a proper OT systems approach.
While both passive and active tools provide a significant, yet different value add to an OT security program, it should be an "and" conversation, not an "or" conversation.