Tech-Enabled Vulnerability Assessment

Conducting vulnerability assessments for industrial organizations is often a costly, manual effort requiring on-site resources which, as a result, happens infrequently. But a technology-enabled vulnerability assessment significantly reduces the time and labor requirements to enable real-time, ongoing visibility to track progress and have continuous visibility into risks. This white paper describes how to apply this approach to quickly prioritize security gaps and remediation efforts.

THE CHALLENGE

Many industrial organizations are in the beginning stages of addressing the cyber security of their Operating Technology (OT) systems. Most lack visibility and resources to adequately assess – not to mention remediate – the risks of these environments. In most cases, manual or qualitative approaches break down because the OT systems and personnel do not have the requisite knowledge and visibility into the environment to even answer the questions posed by traditional vulnerability assessments.

Traditional IT tools are risky to deploy (e.g., a simple Nessus scan may make PLCs or barcode printers or robots un-useable). In addition, these assessments leave the organization with information on where the gaps are but don’t provide a solution towards progress. Finally, traditional OT vulnerability assessments are time-consuming and expensive in the distributed environments found in industrial operations.

THE OPPORTUNITY FOR CHANGE

Let us introduce a three-phased approach to OT/ICS cyber security assessments that addresses the unique challenges of these environments. The first phase is conducting interviews and reviewing available data. The second phase is conducting the technology-enabled assessment of each site. And the third phase is the roadmap development phase where the assessment findings are synthesized into an enterprise as well as site-level maturity remediation and maintenance recommendations. Throughout the process, you should define the standards and governance model that each site and organization desire to achieve.

TECHNOLOGY-ENABLED VULNERABILITY ASSESSMENT METHODOLOGY

PHASE 1: CONDUCT INTERVIEWS AND REVIEW AVAILABLE DATA

The best place to start is with initial data requests and targeted interviews. These initial interviews and walk down (either in person or on a virtual whiteboard) enable organizations to understand the current business operations and security policies, procedures, and technologies currently employed.

For instance, the interviews inform whether OEM vendors are taking the majority of the security responsibility, whether certain manufacturing systems need to communicate with enterprise IT for key data or whether the site can be self-contained, whether personnel on-site have technical “systems management” skills necessary to conduct key security management functions such as patching or configuration management, etc.

After combining these interviews with targeted data collection from each site, this information should be distributed to client senior leadership and site leadership to align both parties. Distributing data requests to each site comes next to deposit into a secure data repository. Typical information includes – if available – network diagrams, asset inventory lists, any documented security policies and procedures, key personnel contact information, list of major OEM systems, any current security or resilience technology/tools (e.g., backups & restore, Anti-virus, etc.), etc.

The goal here is to gather a significant portion of that information for initial review before conducting the initial interviews with the site personnel. We find in this sequence the interviews are much more targeted and effective.

In addition, reviewing the documentation (or lack thereof) on things such as network diagrams, updated asset inventory, current patch status or Anti-virus status, etc., provides a view of the relative stage of maturity of the site across a range of the key security elements of the chosen standard.

For instance, the NIST CSF calls for an updated asset inventory to include: hardware, all installed software, firmware in the case of embedded devices, running configurations, all users and accounts, password and other settings, AV and/or application whitelisting status, backup status, etc. By gathering available documentation, the team can determine whether these kinds of security fundamentals are in place or not.

During Phase 1, you’ll also kickoff the governance and standards development process, but will continue to roll out across all three phases as the governance model and standards will evolve as you get deeper into the assessment processes across the sites. In addition, as you conduct the technical assessment and design a roadmap, the site-specific feasibility exceptions and requisite compensating controls need to be taken into account in the governance/standard model.

To develop the final governance model, it’s important to understand the current organization governance model for operations to align as much as possible. Read more about Developing a Successful OT Governance Model here.

PHASE 2: CONDUCT A TECHNOLOGY-ENABLED VULNERABILITY ASSESSMENT

The key to a robust OT vulnerability assessment is leveraging technology to test the robustness of the security environment, rather than relying on qualitative input from personnel and current documents.

The components of an effective OT/ICS vulnerability assessment technology are:

• Comprehensive asset inventory including all hardware, software, network configurations, device settings, user and account information
• Identification of known vulnerabilities based on published databases (i.e. NIST NVD or ICS-CERT)
• Scoring risks based on asset criticality, the potential for exploitation, and the impact on process or safety as a result
• Prioritization of remediation to reduce the greatest risk in the least amount of time and cost

5 benefits of a technology-enabled approach:

1. Keep OT safe

A top challenge in conducting technical assessments in OT is the risk to operations. Leveraging an OT-specific solution ensures no disruptions or impact on operations. In fact, operational personnel often find the insights generated help with the reliability of systems because of its ability to identify potential network or system functionality issues that may plague operations.

2. 360-degree risk perspective

A comprehensive risk assessment provides a full 360-degree view, capturing all of the site’s asset inventory information into a centralized reporting console. Unlike a “pen test” which may discover one path into the environment and highlight the need for better intrusion detection, the 360-degree assessment provides an assessment of all the potential threat vectors and the risks to the system, allowing you to model various threat vectors.

Key information gathered during the technology-enabled assessment approach should include:

• Rogue asset discovery of assets that aren’t included in the current inventory
• All installed software to review for risky items such as TeamViewer or other remote access applications, as was done by attackers in the Oldsmar water incident
• Firmware on embedded devices
• Software vulnerabilities/CVEs to identify potential attack paths
• Patch status to determine whether critical patches are missing
• All users and accounts to determine the presence of dormant accounts that may enable attackers to leverage older credentials available on the DarkWeb, as was done in the case of Colonial Pipeline
• All configuration settings to compare to standards such as DISA-STIG and OT-specific standards
• Status of key security and reliability software such as backups, antivirus, application whitelisting, etc. to determine whether attacks can be defended and responded to quickly
• Network connections and configurations to identify potential paths for external unapproved access and weak firewall and switch configurations that may allow the spread of malware of APTs

As a result of this comprehensive view, you’ll easily prioritize what you need to fix – e.g., remove these 35 dormant accounts from the OEM vendor that haven’t been used since an outage 2 years ago, deploy these specific patches to address critical RDP vulnerabilities, harden the password settings to require changing them every 30 or 60 or 90 days, etc. The granularity of the assessment enables a much more practical and efficient remediation roadmap.

3. Enterprise visibility across all sites

Aggregate this data into a reporting console so the assessment analysis is scalable and provides the corporate security or process control team visibility into the risks across the environment. One of the challenges to a multi-site assessment is embarking on is tracking all of the risks and assessment outputs. The technology leveraged at each site aggregates back to a central reporting for analysis, planning, and remediation play-booking. The benefits are improved efficiency and effectiveness of the assessment.

We call the ability to see all risks across the fleet centrally, but enable local control over remediation actions using the power of the automated tool “Think Global: Act Local”. The enterprise reporting console allows a smaller, common team to review the risks across sites around the globe. This drives efficiency in the analysis of all the various threats to the environment. Further, instead of site-by-site analysis, the process is much quicker when the data is automatically aggregated centrally. This centralization also allows for improved consistency in the assessment. Because the same group of individuals is reviewing the data from all 70 sites, the consistency of risk prioritization and remediation planning is significantly better.

4. Accelerated time to security – assess & remediate in the same platform

Now it’s time to take action on the vulnerability assessment findings. Demonstrating rapid security improvement, as opposed to simply identifying the problems, is arguably what makes a technology-enabled assessment approach so unique.

One of the biggest benefits of a technology-enabled assessment is that it allows organizations to get very specific information on asset risks, while quickly moving to remediate to demonstrate rapid improvement, rather than pointing out problems.

Operation/plant personnel who aren’t part of the security team tend to oppose assessments because they point out problems and identify what’s not being done, most of which are known because security has not been a focus in operations in the past. For instance, you aren’t conducting appropriate network segmentation, you aren’t monitoring for intrusions, you aren’t updating or patching older systems, etc.

By leveraging the technology-enabled assessment approach, the assessment provides very specific information which may be valuable operationally – e.g., did you know that the server you rely on for a key part of your operation has intermittent CPU issues and is almost out of disk space, or that your vendor installed a 5G device in the backplane of a controller so they can monitor things without informing you, etc. But this way, you’re immediately taking ownership and control of the security gaps.

If the security and site personnel discover dormant accounts that should be removed across hundreds of devices, you can immediately automate removal – obviously with approval from the operations personnel. When you discover unapproved remote access software or DVD burners, iTunes, or even worse, software running on HMIs and OT servers, you can immediately remove that software at scale.

5. Continuous monitoring and assessment

Many OT vulnerability assessment methodologies are one-time, providing a point-in-time perspective of the risks of an environment. Literally, the day after the assessment is completed, the risk picture could look different if new vulnerabilities are released or changes are made to network configurations, or devices are upgraded in a typical upgrade process.

A technology-enabled assessment approach provides an ongoing, real-time view of the risk in the environment. So, as an organization takes remediation actions, the console is updating its information for all sites. The team can monitor as sites move from “red to green” on key metrics such as dormant users or insecure configurations in networking equipment or missing critical patches, etc. In addition, if changes are made or new external vulnerabilities are released (hundreds of which happen every week), updates are made to the risk scoring of each asset and site in the company.

PHASE 3: DEVELOP A CYBER SECURITY ROADMAP

The key outputs of the assessment include a comprehensive view of the risks, prioritized for each site as well as across the enterprise. Depending on the client’s needs, these reviews can be done against standards such as the NIST CSF, CIS Top 20, or a broader DHS defense-in-depth framework. The defense-in-depth output provides a simple way of seeing the risks across each of the key layers of defense, as seen below.

Use the tech-enabled visibility to develop a prioritized risk ranking based on asset risk score and the analysis of asset criticality. This leads to a clear prioritized roadmap of remediation initiatives.

This detailed roadmap can be synthesized into a broader set of initiatives over time.

THE SOLUTION

The overall goal of a technology-enabled assessment is to demonstrate a baseline security maturity against the given framework, such as NIST CSF, and measure and track improvement over time. Within 30 days, Verve clients can achieve a robust assessment and create a roadmap to make progress on remediation using a closed-loop platform. Immediately demonstrating progress to boards or c-levels against the specific gaps identified in the vulnerability assessment measures progress and updates on realtime risks

Verve Industrial uses such a technology-enabled assessment approach leveraging the Verve Security Center and has increased NIST CSF cyber security maturity levels by 2x within 12 months.