Prioritizing Asset Risk Management in ICS Security

Imagine acquiring a business without understanding its intricacies. You’d need to perform adequate due diligence to determine the true value of the organization and understand where there are risks.

What if we were to purchase a used car or assess appropriate maintenance for it? We’d look at its general condition, book value, potential future worth, and the state of consumables. We’d also determine if there are other items that would pose a risk to ourselves and others, such as heavily rusted structural elements or irresponsive steering.

Based on what we find, we choose to either abandon this asset (car) or remediate the risks (e.g., seeing the mechanic, scheduling a visit, and getting work done).

What is asset risk management and prioritization?

In critical infrastructure, asset risk prioritization is a component of enterprise asset management with the goal of ranking OT assets by two dimensions: 1) the criticality of that asset to an organization’s operations, and 2) the potential cyber security risk exposure of the asset. Prioritizing industrial assets based on risk is important for determining decisions on improvements, maintenance, related projects and investments.

It is critical to independently assess these two components of prioritization in OT. Some assets may have a high exposure score, but just are not that critical to the process, while others even with a lower exposure score should be prioritized because of their criticality to the process. This is particularly critical in OT because of the challenges that come with vulnerability management and remediation.

Challenges with asset risk prioritization

Although this seems logical, putting it into practice has many challenges:

• Determining the criticality of an asset not just for its particular function, but the other functions it supports
• Additions and customizations tailored to the processes or functions it provides (e.g., logic or configurations)
• Predated expertise might be non-existent (e.g., integrator doesn’t exist or SMEs are long since retired)
• Often organizations have not conducted comprehensive criticality analysis
• Exposure assessments often stop at CVEs and known vulnerabilities which exclude many “insecure by design” exposures such as account settings, communications, etc.
• CVEs may be misleading in OT environments
• Cyber-related exposures and threats are constantly evolving
• Compensating controls for risk management vary in application and affect exposure of each asset
• Exposures aren’t stand-alone; they must include inter-relation of exposures which is not straightforward to do manually
• Organizational deployment and related architectures also affect risks

Determining the priority of asset management based on related risks is an involved process. Assuming you have obtained enough quality asset information and have a reasonable understanding of your organization’s industrial control systems in general, technology can be used to relieve some of those burdens; especially for organizations just beginning their cyber security journey.

4 steps in effective critical asset risk assessment

1. Gather a 360-degree understanding of the OT system(s) under consideration
   • Hardware and software inventory
   • Network connectivity
   • Process flows and device purpose
   • Users & accounts
   • Configuration settings
   • Presence of protective security layers
   • Etc.
2. Assign asset criticality metrics
   • Establish a system for assigning criticality scores (often this may already exist due to regulation of safety processes)
   • Evaluate the impact of lost accessibility, integrity, confidentiality, etc. to the business: safety, volume, profitability, etc.
   • Calculate and assign a score to each asset
3. Calculate exposure score for each asset based on known and potential risks to the asset
   • Evaluate known CVEs and exposure scores based on NIST, ICS CERT, etc.
   • Assess “insecure by design” elements of the asset or system including password management, open ports, etc.
   • Identify potential compensating controls that may reduce the exposure of the asset (e.g., firewalls, application whitelisting, etc.)
   • Determine exposure scoring methodology
   • Calculate scores for each asset. configuration
4. Prioritize remediation actions based on combined asset risk score and execute
   • Build lists and campaigns to remediate the identified risks or areas needing attention with reporting and the organization’s preferred scoring results.
   • Follow the change management processes and drive changes within the environment from the local site only based on the lists and identified changes.
   • Review and track changes, or unmitigated risks if remediation is not an option

Manage ICS security risks with tech-enabled asset risk prioritization

The above process is very challenging to do manually. Technology is a key requirement in achieving robust OT asset risk prioritization. While no single silver bullet solution determines your cyber risks absolutely, it is important to a) automate the asset information/inventory process in a way that can provide the richest set of asset information available, b) integrate your organization’s expert information and defined process, and c) enable calculated blended risk scores of criticality and exposure, including multiple sources of data (i.e. results from NERC CIP audits, Cyber PHAZOPs, and other third-party assessments) so the findings and concerns are considered within the platform.

It isn’t a replacement for an organization properly assessing relevant threats, but on the contrary, it allows an organization to move from awareness of risks or threats to a more relevant risk prioritization model that is repeatable and always evolving.

3 pieces of advice for a technology-enabled risk management approach

Here at Verve, we have worked for the past dozen years to ensure industrial customers gain visibility into the prioritization of the risks to their assets. Our experience has taught us several things:

• You have to get a 360-degree view of the endpoints

Perhaps the biggest challenge organizations have is the lack of deep visibility of the endpoints on the network. We refer to this as 360-degree visibility. Often organizations rely on manual inventory which is often either only samples or outdated. Others rely on passive solutions to infer information based on what is traversing the networking.

Both of these do not provide the level of detail required to really capture a 360-degree risk assessment of the asset. This would include items such as full software inventory (even those not running or communicating over the wire), full patch status, all accounts and users, configuration information, antivirus signature updates, backup status, etc.

In theory, passive is a low-risk way to get an initial understanding of an industrial environment, but it has limitations on what it can see and interpret.

• Efficiently assigning risk scores requires OT-specific assessment and scoring technology

Over the years, we have seen clients attempt to manually keep track of asset criticality and asset exposure. In some cases, they used spreadsheets or traditional asset management tools to track criticality scores. In others, they used IT-oriented scanning tools to try to capture vulnerability information from those devices which can be safely scanned.

In all these cases, the complexity and lack of visibility led to outdated or incomplete data. The technology must gather comprehensive views of all assets and exposures, even those which cannot be scanned.

Further, it must calculate scores in real-time based on both information gathered directly from the asset (e.g., has it just been patched or has antivirus just been updated), as well as the “tribal” knowledge from OT resources as to the asset’s criticality.

Effective OT asset risk prioritization software will include both of these. Most importantly, the development team needs to understand OT and the critical requirements of an OT environment. A risk is not a risk. Understanding the relevance of a particular CVSS score to OT is critical in calculating that ultimate risk prioritization.

• Don’t forget the remediation

ICS security is a continuous program, and while assessments don’t eliminate risks, they identify threats, risks, compliance variance, and remediation activities if they do not add fatigue and burdens with little value. Therefore, ongoing detailed assessments that present multiple sources of data in a single, tech-enabled view quickly identifies issues and moves us towards solving them.But assessment is only the first step. The technology you choose should also enable the automation of remediation steps to streamline the security, not just the prioritization. Too many clients try to execute remediation across separate silos. By bringing remediation and assessment into the same toolkit, you accelerate time to remediation and ensure ongoing measurement and reporting of progress.

Verve exposure scores guide criticality and vulnerability

Verve has worked with clients for over a decade to address risk prioritization challenges. To address these common challenges with asset inventory management and prioritization, Verve created a scoring mechanism (integrated into the Verve Security Center) to help asset owners enhance insight into assets.

They can either use additional criteria to filter by detailed type, applications, nature, criticality (based on data entered) – or – look at exposure factors (which may include compensating controls) to drill-down on host vulnerabilities.

The above image is a screenshot from the Verve Asset Manager (VAM), which acts as the control center when managing inventoried assets. It reports many details and calculations to sort the hundreds or thousands of assets you may be responsible for by filtering on the detailed asset type, criticality and exposure.

Verve’s asset inventory management tool reports on asset details for global visibility across all sites. Within the reporting console, all vulnerabilities are aggregated and ranked to effectively govern and manage the critical risks.

Verve also includes direct remediation of threats from the console. Therefore, as you prioritize asset risks, the user quickly pivots to remediation to remove the most critical risks or find compensating controls to execute.

OT asset prioritization for risk management

OT asset risk prioritization is one of the most critical elements of OT security and systems management. Because resources are limited and many remediation actions such as patching cannot be accomplished quickly or easily, OT security leaders need a robust prioritization framework to help achieve security effectively.

An OT asset risk prioritization platform that includes a 360-degree asset view, robust exposure and criticality scoring, as well as the ability to remediate significantly improves efficiency and maturity of OT security.

After all, the value of an integrated OT cyber security platform combines detailed asset information to deliver filterable results for prioritization, attributes, vulnerability or even risk exposures at a glance, and allows an organization to take action at the site level, while gaining visibility from all sites from a global perspective to drive prioritized and informed decisions.