Vulnerability management teams often face difficulties in patching all of their systems on a timely basis. This is true for traditional OT devices such as HMIs, PLCs, etc. But it is also very true in sensitive IT-like environments such as pharmaceutical labs or hospitals.  Recent research says that 81% of CIOs and CISOs delay patches due to operational concerns.

The resolution is typically to prioritize patches most critical to your OT environment based on risk and exploitability.  But this raises two questions: How do you effectively prioritize? What do you do with those assets that either cannot be patched or are not top of the priority queue?

 

What is an OT/ICS vulnerability assessment?

OT/ICS vulnerability assessment is the process by which an organization identifies the potential gaps in its security due to software, configuration, design and user/account insecurities and then prioritizes which of those risks poses the greatest threat to operations. In OT cyber security, a vulnerability is defined as a weakness that can be exploited by a threat actor or hacker to infiltrate and wreak havoc.

The key components of OT/ICS vulnerability assessment tools include:

  • Comprehensive asset inventory including all hardware, software, network configurations, device settings, user and account information, etc.
  • Identification of known vulnerabilities based on published databases such as the NIST National Vulnerability Database, ICS-CERT, etc.
  • Scoring risks based on asset criticality, the potential for exploit, and impact, and most importantly, the potential impact on process or safety as a result
  • Prioritization of remediation to reduce the greatest risk in the least time and cost

 

360-degree vulnerability assessment

Most organizations use various tools for patching and vulnerability management, network segmentation and management, configuration management, malware protection, and access control. It is difficult to effectively address patching in these critical systems without a full view of the entire vulnerability and protection picture. Without a 360-degree view, it becomes impossible to understand the true vulnerability as well as to prioritize remediation actions.

A 360-degree asset analysis aggregates a full view of the environment into a single database and analysis tool including:

Asset technical details:

  • Patch status
  • Software vulnerabilities including CVEs, alerts, etc.
  • Insecure endpoint configurations
  • 100% software inventory to identify unnecessary and risky software programs
  • Dormant, admin, shared, and other account risks
  • Password settings
  • Unapproved or risky ports, services, etc.
  • Network protections such as the location of asset behind firewalls, ACLs enforced, etc.
  • Log data on device and user behavior

Third-party tool information:

  • Anti-virus signature status
  • Application whitelisting control status (present, lock-down, etc.)
  • Backup status

Meta-data (or internal expert knowledge):

  • Operational criticality of the asset
  • Location, owner, etc.
  • System grouping and regulatory environment

 

Benefits of a 360-degree vulnerability assessment for OT/ICS:

Improved efficiency and effectiveness of patch prioritization:

Looking at the CVE and CVSS score and including exploits is an incomplete picture of the risk of an asset. You need to include asset criticality. If that asset is sitting behind a data diode or has application whitelisting with a narrow application set in lockdown mode, the asset may be less at risk than one that has less critical vulnerabilities but has no network protection.

Efficient and effective roadmap of compensating controls:

It is not enough to prioritize patching.  Effective security requires there to be a documented compensating control if deployment of critical patches is delayed. A 360-degree view allows organizations to prioritize which compensating control is most efficient and effective given the asset situation. Is whitelisting an effective option or is the system too old to allow for agent deployment? Can you remove risky software (that was part of the IT standard build) that requires regular patching? Can you lock down firewalls more? Should you invest in additional firewalls for specific highly critical, older devices?

Automated documentation and audit:

One of the biggest challenges to vulnerability assessment is gaining visibility into what compensating controls are in place if an asset is not patched.  360-degree assessment removes the silos that separate the various controls allowing much easier audit and documentation, whether your standard is an internally imposed NIST CSF or CIS CSC20 or a regulatory imposed one.

Verve Security Center provides a 360-degree view of vulnerabilities.  The platform brings together dozens of different vulnerability views of the environment (patch and software vulnerabilities, endpoint configuration, passwords, access control, network rules and configurations, backup status, whitelisting status, etc.) in one place.

This common database significantly reduces the cost of managing vulnerabilities and increases the speed at which the organization can employ the appropriate compensating controls.

Patching prioritization is important, but if you add the full view, the security of the environment increases significantly as does the efficiency of the security and IT teams.

Related Resources

Blog

Top 5 Learnings from a Decade of OT/ICS Vulnerability Assessments

What ten years of vulnerability assessments can teach the OT/ICS cyber security industry about vulnerability exposure and risk prioritization and remediation.

Learn More
Blog

Closed-Loop Vulnerability Management

Verve Industrial's closed-loop vulnerability assessment and remediation significantly reduces time to detection, time to remediation, and cost while providing real-time vulnerability information on OT assets.

Learn More
Blog

5 OT Vulnerability Management Challenges (and How to Overcome Them)

Common challenges to vulnerability management in OT cyber security and ways to overcome them to create safer industrial and operational environments.

Learn More

Subscribe to stay in the loop

Subscribe now to receive the latest OT cyber security expertise, trends and best practices to protect your industrial systems.