Top 5 Learnings from a Decade of OT/ICS Vulnerability Assessments

For over a decade, Verve has conducted technology-enabled OT/ICS vulnerability assessments. Leveraging our 25+ years of experience as ICS automation engineers, Verve evaluates comprehensive exposure and process risks based on cyber security vulnerabilities within the ICS/OT environment.

What is an OT/ICS vulnerability assessment?

OT/ICS vulnerability assessment is the process by which an organization identifies the potential gaps in its security due to software, configuration, design and user/account insecurities and then prioritizes which of those risks poses the greatest threat to operations. In cyber security, a vulnerability is defined as a weakness that can be exploited by a threat actor or hacker to infiltrate and wreak havoc.

The key components of OT/ICS vulnerability assessment tools include:

• Comprehensive asset inventory including all hardware, software, network configurations, device settings, user and account information, etc.
• Identification of known vulnerabilities based on published databases such as the NIST National Vulnerability Database, ICS-CERT, etc.
• Scoring risks based on asset criticality, potential for exploit, and impact, and most importantly, the potential impact on process or safety as a result
• Prioritization of remediation to reduce greatest risk in least time and cost

Why is an OT/ICS vulnerability assessment critical?

OT/ICS vulnerability assessment is critical because it provides the foundational data to enable the creation of a robust remediation roadmap for cyber security protection. Without a comprehensive assessment, industrial organizations may unknowingly pursue expensive and low impact solutions.

With a robust assessment, they gain confidence their security initiatives (and investments) will deliver the greatest ROI possible. Most importantly, it helps provide an accurate view of the potential process risks that might cause physical harm to people or property in OT environments.

From a decade of vulnerability assessments, we discovered 5 key common findings that every OT/ICS environment can benefit from understanding:

1. A proper OT/ICS vulnerability assessment requires looking at a 360-degree view of risks. In ICS/OT, it is not enough to rely on publicly listed CVEs and CVSS scores. We won’t expand here on the challenges of CVSS for OT-specific vulnerabilities, but risks in OT/ICS go well beyond “vulnerabilities” as defined by CISA or MITRE. These systems are often “insecure-by-design”.

Because of their design and lack of traditional systems management that might be found in IT, organizations need to look at risk across multiple lenses. Some of these include:

• Traditional CVEs/vulnerabilities
• Presence of unnecessary and potentially risky software (even if that software is completely patched and lacks vulnerabilities)
• Insecure configurations
• Weak user and account access, password settings, dormant accounts, etc.
• Presence and effectiveness of compensating controls. Because many devices cannot be patched, the vulnerability assessment must determine the strength of the compensating controls such as network access limitations, anti-virus, application whitelisting, etc.

2. Asset criticality or impact on the process is as, if not more, important than the exposure of the asset itself. This is one of the most significant differences between IT and OT. Sure, in IT there are some assets that are more important. But in OT, some assets could cause a plant to shutdown, causing hundreds of thousands or millions of dollars of damage, or even worse, physical harm to people or property. Further, in IT most devices can be patched relatively quickly addressing the known vulnerabilities. OT patch management can be slow or not possible, therefore prioritization of risks and which devices are most critical to secure is even more important.
3. Organizations should leverage technology to gather a very deep asset inventory (more than just hardware and OS version, but detailed patch status, firmware versions, user and account information, full software inventory, etc.) to conduct the 360-degree assessment described above. Manual inventories or samples have two significant flaws: First, they are outdated as soon as they are gathered. Vulnerability assessments are only valuable if the organization takes the next step to remediate risks. An outdated database doesn’t help at all in remediation, monitoring process, or reporting on updated risk status. Measurable risk reduction requires an automated collection of a 360-degree risk picture. Second, manual inventories or samples do not capture the data to provide that 360-degree view without a very high cost. Technology enables a much lower cost, deeper view of risks.
4. There are ways of applying software technology to capture this updated information without relying on IT scanning technologies that puts OT devices and processes at risk. Verve leverages a unique software architecture developed over our 25+ years of experience in vendor-agnostic automation engineering. We believe this approach is better than passive tools that require expensive hardware and only capture what is on the wire. But in any case, there are tools out there to help streamline this assessment process.
5. Remediation (the real mark of success of any assessment process) requires a “Think Global: Act Local” approach. “Think Global” means that the technology and solution you use needs to aggregate all site-level information on risk into an enterprise-wide view. This is necessary to scale the limited resources available to conduct these assessments on a regular basis – weekly, monthly, quarterly. It does not make sense to train personnel at each plant/site how to conduct vulnerability assessments. But the only alternative is to gather vendor-agnostic information from each asset (Windows, networking, embedded OT devices, IOT, etc.) into a common database. “Act Local” means that the remediation actions need to place automation into the hands of local personnel who truly understand the processes and the timing/manner that remediation needs to be executed. We have heard of too many horror stories of patching or account management conducted from afar causing operational issues, shutdowns or worse. Whatever remediation tools an organization uses should enable automation, but automation controlled by ICS personnel that understand the process.

This is a “top 5” list of vulnerability assessment learnings, but after a decade, we have many more takeaways around topics such as how to prioritize patching, what types of risks we find most often, how to best create a 360-degree risk score, etc.

Download our on-demand webinar to hear more about our vulnerability assessment findings and most importantly – how to prioritize and address the highest risks in your OT environments.