What is an OT/ICS vulnerability assessment?
OT/ICS vulnerability assessment is the process by which an organization identifies the potential gaps in its security due to software, configuration, design and user/account insecurities and then prioritizes which of those risks poses the greatest threat to operations. In cyber security, a vulnerability is defined as a weakness that can be exploited by a threat actor or hacker to infiltrate and wreak havoc.
The key components of OT/ICS vulnerability assessment tools include:
- Comprehensive asset inventory including all hardware, software, network configurations, device settings, user and account information, etc.
- Identification of known vulnerabilities based on published databases such as the NIST National Vulnerability Database, ICS-CERT, etc.
- Scoring risks based on asset criticality, potential for exploit, and impact, and most importantly, the potential impact on process or safety as a result
- Prioritization of remediation to reduce greatest risk in least time and cost
Example Learnings from Prior Assessments
Policies & Procedures
- No OT-specific asset identification, inventory and management policy
- No ICS-specific patch/change management policy
- No standard account & password management procedure
- No standard incident response process
Network Architecture
- Perimeter network allows wide access across plants with limited control over which IPs can connect
- Older firewalls and switches with many insecure configurations and missing patches
- Clear-text passwords in many cases
- No separation between ICS and IT network, or if separation exist, few rules limiting traffic
- Limited monitoring for malicious East-West traffic
Access Control
- OT devices with shared passwords
- Devices with default passwords
- No or limited access control over new devices connecting tot he network
- Multiple vendors accessing system with little-to-no monitoring of behavior or assessing vendor security programs
Endpoint
- No accurate asset inventory to identify potential critical vulnerabilities
- Thousands of missing critical patches since systems are outdates or patched irregularly
- Many devices with standard IT security configs, insecure in OT env. or not managed
- Significant number of unnecessary software programs
- Limited log management or IR capabilities
- No consistent, provable backups for OT devices
Why is an OT/ICS vulnerability assessment critical?
OT/ICS vulnerability assessment is critical because it provides the foundational data to enable the creation of a robust remediation roadmap for cyber security protection. Without a comprehensive assessment, industrial organizations may unknowingly pursue expensive and low impact solutions.
With a robust assessment, they gain confidence their security initiatives (and investments) will deliver the greatest ROI possible. Most importantly, it helps provide an accurate view of the potential process risks that might cause physical harm to people or property in OT environments.
From a decade of vulnerability assessments, we discovered 5 key common findings that every OT/ICS environment can benefit from understanding. Read our blog here.
Vulnerability Assessment Customer Success
Read our case study to learn how a top 10 global pharmaceutical manufacturer saved over $600,000 annually with Verve’s unique closed-loop vulnerability management approach