Our last blog post examined the value of a comprehensive inventory, which is a fundamental requirement to start a vulnerability management (VM) program, and compared it to the current affinity for passive listening tools for inventory.
It was evident that a passive detection tool is a decent option to discover what is online, but is not proper inventory, and does not uncover the cyber risks inherent to endpoints. Passive anomaly detection tools are not intended to work as vulnerability management tools, so let's look at the most popular option: vulnerability scanning tools.
There are many options for vulnerability scanners on the market. They usually require the latest threat intelligence and markers are loaded into the application, which targets end devices for scanning. There are controls and settings to adjust to increase or decrease the force and functions of the scan, which is a good thing for OT where thousands of ports are scanned with requests at once.
In OT environments, we dial down vulnerability scans to a lower volume for a gentle approach and conduct the scans on redundant and more robust systems.
Many industrial organizations prefer to scan only during outage or turnaround opportunities to further reduce the risk introduced by a vulnerability scan. These are established OT safe practices for bringing IT tools into the OT world, but produces ineffective results.
Challenges with Vulnerability Scanning Tools
- Limited scanning: By dialing down the vulnerability scanners to lower volume, you do not gather the deep asset inventory knowledge you need
- Limited systems: By targeting robust systems for VM scanning, you disregard fragile, and sometimes more critical, industrial control systems
- Ages instantly: As soon as you finish a vulnerability scan, the data begins to age. If your VM scans are run with manual oversight, or only during an outage, your gap between scans could be quite significant
Alternatives to Vulnerability Scanning Tools
An agent-based, real-time OT systems management (OTSM) approach is the best alternative to vulnerability scanners. Leveraging an agent on OS-based devices, while simultaneously profiling network, communications gear, and embedded control equipment, generates a robust and complete asset inventory.
Including the National Vulnerability Database to your inventory reveals the cross-section between your known assets and where the cyber risks lie. The differences are significant.
- Unlimited scanning: Know all details about each endpoint, and profile information about the asset
- Unlimited systems: 100%, real-time coverage of all assets means your vulnerability management view is complete across the entire OT environment
- Ages slowly: Asset inventory updates in near real-time, so querying your asset base (normal NVD update or manual polling for emerging/evolving risk) is instantaneous and your data is new, relevant and fresh
Embracing established IT tools in the OT space makes a progressive step towards change in our coverage and ability to respond and protect OT assets. IT and OT convergence provide real time, comprehensive coverage with instant vulnerability management status.