OT Vulnerability Management – When Patching isn’t Preferred (or even possible)
What are the preferred practices in industrial security when patching isn’t possible? Find out here.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
Cyber threats and attacks are on the rise for industrial, manufacturing and critical infrastructure organizations. Many of these threats are the result of vulnerabilities present in the organization’s OT systems. Targeted threat actors or untargeted ransomware attacks can exploit these vulnerabilities to gain access into industrial networks for financial gain or to interrupt operations.
The rise of cyber threats are due to factors such as the acceleration of IIoT technology and digital transformation such as Industry 4.0 in manufacturing, an increase in remote work and remote access amid the COVID-19 pandemic, and the prevalence of ransomware.
Cyber criminals are growing smarter, and these factors have undoubtedly increased the attack surface for threat actors to take advantage of, costing the U.S. economy as much as $109 billion in 2016.
Enter vulnerability management – A seemingly straightforward cyber security process that is meant to significantly reduce the amount of cyber-related threats and attacks. But if it’s so easy, why aren’t we doing it?
Let’s take a step back and start by answering the question, what is vulnerability management?
Vulnerability management is defined as the business process of identifying, prioritizing, remediating, and reporting on software insecurities and misconfigurations of endpoints in Operating Technology (OT) or Industrial Control System (ICS) environments.
Compared to traditional IT environments, OT vulnerability management is more complex. Vulnerability management, as defined in IT, specifically focuses on identifying known software insecurities published by vendors or third parties. But in OT, it’s not as simple as scanning for known insecurities and then rebooting a computer to install the latest OS updates.
Industrial control systems in OT environments often-times use legacy or out-dated equipment and software that no longer receive security updates. Scanning the systems can cause risks to operations and applying patches requires taking these systems offline for maintenance which is not only expensive, but disruptive to critical operations. It’s no wonder industrial organizations find themselves neglecting vulnerability management and other cyber security processes.
Many operating companies have very little asset inventory data. In most cases, asset data is limited to aging spreadsheets or incomplete data from a mix of sources, providing intermittent or spotty coverage. When a new vulnerability is discovered, you turn to asset inventory to determine how many OT assets are in scope for this risk and how many can be safely patched. But without the detailed profile of each asset, this job becomes impossible.
We all know the common motto, “you can’t protect what you can’t see,” and while this is true, your asset inventory should be more than a list of assets. A powerful asset inventory management solution is crucial for a successful vulnerability management program when combined with detailed profile data per asset (such as the criticality of the asset to operations, what layer the asset is located, is it remotely accessible, etc.). The more context you have about each asset, the stronger your vulnerability analysis and prioritization.
Learn how to overcome an incomplete asset inventory.
Vulnerability scanning was designed to identify weaknesses of a system in order to quickly secure gaps in infrastructure from being exploited, but this provides greater challenges in OT than in IT. In OT environments, scanning presents three challenges.
First, scans of OT devices can potentially disrupt their operation or worse, disable them completely. Further, because of the integration of these various systems, if one system may go down this may cause others to have issues, eventually tripping the plant.
Second, it happens infrequently, so as soon as a scan is finished, it is already out-dated. Conducting a scan during an outage or during scheduled downtime means there will be large gaps between scans, leaving you with an incomplete picture of the vulnerability landscape at any given time.
Third, if you do conduct scanning, it does not gather 100% of vulnerability information. While vulnerability scanners have settings to decrease the force and functions of a scan (intended to minimize potential damage to sensitive OT systems), this gentle approach ends up reducing accuracy because it cannot gather deep asset inventory knowledge.
In lieu of vulnerability scanners, an agent-based OT systems management approach is the best alternative. With real-time coverage of your assets and their vulnerabilities, you’re one step closer to responding and protecting your most critical OT assets.
Read more about alternatives to vulnerability scanning for identification.
According to ESG Research, 34% of cyber security professionals reported their biggest vulnerability management challenge is prioritizing which vulnerabilities to remediate. With hundreds or thousands of vulnerabilities, it can feel a bit like playing whack-a-mole with no end in sight.
Piggy-backing on our discussion around the value of a robust asset inventory as the foundation for your vulnerability management program, context of the most critical or at-risk assets help determine priority because every critical vulnerability doesn’t present the same security risk to operational systems.
To prioritize the remediation of vulnerabilities, organizations need to conduct 360-degree risk assessments that include comprehensive risk scoring beyond CVE or CVSS. We must move beyond just identifying potential risks and vulnerabilities to prioritizing specific actions that drive the greatest risk reduction most efficiently.
Read more about the need for integrated risk management here.
Remediating vulnerabilities often comes in the form of patching – or updating software and bug fixes released by the vendor. If 60% of breaches involve vulnerabilities for which a patch was available but not applied, it seems like a simple and straightforward solution: Stay on top of available patches – right? Well, it’s not that simple.
Of the 11,000 known and exploitable vulnerabilities, 34% do not have patches available. And for those patches that are available, they’re not all possible to deploy in ICS environments.
While software patching in IT occurs daily or weekly, in OT environments it tends to be tedious, difficult and time-consuming when there is a shortage of time and necessary skills. Tracking which patches are in scope, if they are approved by the vendor, which devices it belongs on (hello, detailed asset inventory, anyone?), and the current status of each system is a lot to keep up with.
Critical to effective vulnerability management is to have patch automation that is controlled by operators who understand the control systems. Manual processes are too time consuming. By the same token, IT automation that pushes patches automatically to OT systems can cause disruptions. What is required is a system that enables centralized analysis, but local automation that operators can manage to streamline tasks, while ensuring reliability.
Here are 6 steps to effective OT/ICS patch management.
Many ICS security leaders find it difficult to manage the full vulnerability management process from start to finish. In many cases, organizations conduct one-time or infrequent vulnerability assessments because of the manual effort required. One the assessment is complete, a separate tool or internal labor is needed to take action, or remediate, the identified vulnerabilities. It is easy to lose track of the process when many balls are in the air.
A closed-loop vulnerability management process with integrated remediation is key, but bringing
administrative functions such as marking patches as reviewed and approved into the same toolset brings management to an entirely new level. Asset inventories, vulnerabilities and remediation information updates in real-time so querying an asset base is instantaneously refreshed with relevant data.
What are the preferred practices in industrial security when patching isn’t possible? Find out here.
Learn MoreDuring this on-demand webinar, you will learn the components of a robust OT vulnerability management program.
Learn MoreA vulnerability review for 2019/2020. This document was performed as a summary piece highlighting the last two years of ICS advisories in an in-depth way.
Learn More