There are multiple stages of a vulnerability management framework, some of which are preliminary and some of which recur regularly.
The first stage, Prepare, includes establishing roles and responsibilities and defining corporate policies and procedures for standing up and executing a robust vulnerability management program.
There are two significant components of this stage that have the potential to strongly impact an OT environment:
- Define program scope and identify target assets
- Deploy/configure vulnerability scanning solutions
Defining program scope and identifying target assets really speaks to asset inventory. This is something most OT environments struggle with.
A powerful asset inventory management solution is crucial for a successful vulnerability management program and is even more valuable with increased data. The more you know about each asset, the stronger your analysis, remediation, exceptions and management decisions.
What data types are useful in a vulnerability management program?
Let’s run through a scenario taking a raw vulnerability risk score and applying practical analysis to it in the context of an OT environment:
A vulnerability is identified, and we know its attack vector, severity, complexity to execute and which systems are in scope. How do we decide to proceed?
- Is the system at risk critical to operations? (requires system analysis and ranking often called Meta Data or tribal knowledge)
- Is the system hardened? (requires detailed knowledge of the asset characteristics) Is remote access enabled only for administrative accounts?
- Is the system more or less likely to be compromised based on contextual data relative to attack vector?
- Is this asset in layer one or two, and is it an adjacent network or network attack vector? How about a layer 3.5 asset?
- What if we have a current backup plan, and whitelisting is in enforcement mode?
These types of data sources and the insight they provide are a significant benefit to the analysis and eventual action plan an OT environment requires. But this is extremely rare to find because the biggest challenge for any OT environment is getting this type of information together.
Most operating companies have very little asset inventory data. In most cases, asset data is limited to aging spreadsheets or incomplete data from a mix of sources, providing intermittent or spotty coverage.
Many industrial companies turned to passive or network-based listening tools as a first step in compiling an asset inventory. Passive tools are valuable to an extent. Passive anomaly tools do not provide the data needed to build a robust vulnerability management program.
3 ways passive anomaly detection tools fall short in asset inventory:
- Incomplete coverage: A passive listening tool only picks up assets it can "hear", meaning if you don’t have your asset communicating through a specific "listener", its presence will not be detected, thus not included in your asset inventory. Serially connected relays, for example, are highly unlikely to be included in your list of assets. It also means putting "listeners" into all subnets, requiring exponential resources.
- Detailed data and characteristics: Passive anomaly listening provides content on what is transmitted. If the endpoints are not tuned to send data, it won’t be captured. This includes firmware, serial numbers, software versions, user accounts, ports and services that are listening. They do pick up a lot of traffic, but not everything. In the end, that is not really the use case they were initially designed for.
- Ability to tune: It is value to identify systems are working or feedback that something is at risk. But it's not enough to simply identify the vulnerability if you cannot manage it. An alert is just that – a warning. Taking action to remediate is impossible with passive anomaly detection tools.
Vulnerability Management Tools for OT
The alternative to passive tools is OT-based, real-time inventory tools. They are proven to be safe in OT environments, designed for the unique needs of an operating environment, and are intended to help manage OT endpoints.
Connecting to all asset classes (OS based, Networking and Embedded) you gain access to rich data, detailed insights and 100% asset coverage. We openly advocate a combination of agents (on OS-based devices) and OT-safe profiling tools (CIP protocol, SNMP, SSH, etc.) to centrally compile a robust asset inventory.
The user adds knowledge of the asset, such as its criticality to the operation, its physical and logical location, and its owner. It is integrated with your third-party security tools, such as your antivirus, backup, whitelisting and change management databases to build 360-degree view of your assets. It is this complete asset view that provides the insight and data needed to make informed decisions like in the scenario outlined above.
Bonus! With the presence of an agent on a machine, changes are easily made to the asset remotely.
Software-based agent tools are often compared to passive detection tools on the topic of asset inventory. When identifying what a robust OT inventory requires to manage your cyber risk and OT assets, it becomes clear there is a strong need for a proper OT systems approach.
While both passive and active tools provide a significant, yet different value add to an OT security program, it should be an "and" conversation, not an "or" conversation.