Technology enabled vulnerability assessment insights
- Building an operational technology (OT) cybersecurity program is crucial to making sure your physical devices are protected from threat actors.
- Technology-enabled vulnerability assessment (TEVA) gathers detailed visibility of the risks of the environment and prioritizes those risks.
- TEVA is cost effective because of its automation-driven elements, allowing everything to take place on a local server, rather than having to travel to different sites for endpoint vulnerabilities.
There has been a long debate about the best way to address cybersecurity risks. You hear about new vulnerabilities in industrial control system (ICS) devices (40% more than last year). You hear about new threat actors targeting critical infrastructure. You hear about offerings from OT/ICS cybersecurity vendors. OT/ICS security teams hear different perspectives from different groups and are often left confused as to the best place to begin. A technology-enabled vulnerability assessment can be a great place to start.
Where to start your OT cybersecurity program
The United States Cybersecurity and Infrastructure and Security Agency (CISA) recommends defense in depth as a way to protect OT/ICS environments. This includes items from policies and procedures to network, access and endpoint protection. Through all of their advisories for new vulnerabilities and new threat actors, CISA is consistent in its advice. The good news is there are a set of programmatic things you can do to protect your organization.
Improving the reliability and security of ICS networks, Verve has successfully deployed in thousands of environments and conducted hundreds of site assessments of cybersecurity on OT systems. These deployments have called attention to how differently every organization approaches their cybersecurity program, but it’s become evident the most successful programs start the same way.
Conducting a robust vulnerability assessment of the ICS/OT attack surface is key to getting your program right. While there is a temptation to jump in to “do something” to demonstrate progress, organizations tend to neglect the importance of first assessing the situation because of how long it can take. While these companies jump to take immediate actions they know they will eventually need (such as network segmentation or threat detection), this is not the most effective or efficient approach. And it may end up costing you in the long run.
For these reasons, we recommend beginning with a technology-enabled vulnerability assessment (TEVA). A TEVA gathers detailed visibility of the risks of the environment and prioritizes those risks. Unlike a traditional vulnerability assessment, it uses technology that gathers detailed asset inventory directly from the endpoints. This results in prioritizing the risks and remediations to gain the greatest maintainable security in the least time and cost.
Benefits of a technology-enabled assessment for endpoint-enabled security:
- TEVA provides an accurate asset inventory with data directly from endpoints in the network rather than relying on spreadsheets or scans for immediate response support or vulnerability assessment. A robust asset inventory is critical to the entire program and acts as the foundation to build upon.
- TEVA has several advantages over the traditional manual/survey-based assessment approach because it leverages technology:
- Lower cost because of the automation of the data collection and no need for travel to each site
- Fact-based data on endpoint vulnerabilities rather than relying on surveys
- Accelerated time to remediation using the technology employed in the assessment
- Real-time updating of the assessment so that as remediation is conducted, the assessment updates risk scores
- The technology enables a detailed view of current network rules and protections by analyzing ACLs and configurations of firewalls and switches
- Although network segmentation will certainly be part of an ICS/OT security program, starting with that effort often leads to challenges due to the time it takes to deploy new hardware and the moves of systems required. In addition, many segmentation efforts stall because of a lack of visibility into the endpoints that you actually want to segment, which the assessment provides.
- Network anomaly detection is not usually a good place to start given the cost and time to deploy those solutions in most OT networks with the need for span ports, taps and other infrastructure necessary to provide the level of depth required.
- TEVA provides the foundation necessary for deployment of endpoint protection not only because it identifies all of the assets and their operating system (OS) versions and software in the environment, but also because it provides the right access to deploy those tools once the technology is enabled.
The tech-enabled vulnerability assessment is defined by a 360-degree view of the most significant threats to the environment, such as … is the biggest threat the communication at layer 1 between two programmable logic controllers (PLCs) or between a human machine interface (HMI) at level 2 and a PLC at level 1? Is the biggest threat that an attacker will reach the IT system and ransomware will spread into OT because it’s connected to IT? Is it that a targeted attacker will find a way through the perimeter and run malware or gain privileged access to HMIs and servers to conduct the rest of the campaign? Is it that they will use that access to take advantage of a vulnerability in a PLC or controller to cause a denial of service (DOS) or other impact on that device?
It also determines what the organization’s starting point is, whether IT/OT separation exists, if it’s well configured, if you have significant software vulnerabilities, etc. Then consider what is most timely to execute: How long does a particular project take? What enablers are required to do the first thing?
FAQ about endpoint detection
With this recommendation, we often get the following questions:
Aren’t perimeter network protection and detection going to be the first thing to do in any remediation program?
We are in no way recommending that an organization ignore its perimeter security. In fact, when we use the technology-enabled vulnerability assessment, we find that the most important effort is to improve the perimeter network security. However, the TEVA provides a strategy of the best way to achieve this. For instance, an organization may already have a design that provides for perimeter security, but it is in the configuration of the network protection devices and the evolution of things such as dual NICs, remote access, etc., which degrade the designed security posture. On the other hand, some organizations (or even sites within an organization) may have no clear process control network and their OT networks connect to various connections of the business network and require comprehensive hardware deployment and movement of system connections to achieve the perimeter protection. A fact-based perspective on the actual devices, how they connect and the rules in the various network devices is critical to establishing the roadmap.
Since we can’t patch regularly and can’t use modern EDR tools because vendors don’t approve them, isn’t the best place to start always network anomaly detection since we really can’t “protect” our endpoints?
To paraphrase Mark Twain – the report of the death of endpoint protection in OT has been grossly exaggerated. The reality is there is a significant amount of endpoint protection possible in OT/ICS devices. Moreover, many of these can be accomplished more efficiently than trying to deploy the necessary infrastructure (spans/taps/collectors/etc.) to conduct packet analysis for network anomaly detection. In most OT/ICS environments, 360-degree TEVA analysis discovers hundreds or thousands of software vulnerabilities, missing patches, users and accounts that are insecurely managed, insecure or unnecessary software, insecure configuration settings, weak firewall ACLs, out-of-date antivirus signatures, etc.
Each of these offers ways to rapidly improve the security of the environment, with no need for additional hardware or infrastructure. Patching, for instance, is NOT impossible. Many of these patches are already approved by vendors, and in many cases, an “80-20” rule can be applied. By applying just a handful of patches, the organization can address 80% of their vulnerabilities. Similarly, by focusing on those more critical devices – domain controllers, servers, HMIs, etc., a significant improvement in overall risk is possible. Further, by eliminating dormant or insecure accounts, changing default passwords, eliminating software that shouldn’t be on OT systems (such as TeamViewer), hardening configuration settings or even just tightening the ACLs in the existing network infrastructure, organizations can make rapid progress in securing their endpoints.
Many original equipment manufacturer (OEM) vendors have approved antivirus solutions and, in most cases, the updated signatures are regularly approved. Furthermore, application whitelisting is a very effective form of OT/ICS endpoint protection that requires no signature updates. In fact, CISA has recommended in prior releases that effectively deployed whitelisting is the #1 protection for OT systems.
Why use a technology-enabled vulnerability assessment rather than conduct a traditional assessment which would require no technology deployment?
Although we understand the attractiveness of a manual/survey/questionnaire-based approach because it sounds less intrusive, the results are much less effective and efficient than when leveraging technology. Technology-enabled vulnerability assessment advantages include:
- Lower cost by using technology rather than human resources with all the attendant travel, etc.
- Real-time assessment data. A manual assessment is only as good as its data which decays quickly as changes happen. Further, this allows the organization to track as the OT/ICS system goes from “green” to “red’ as remediation is implemented.
- Accurate, fact-based risk information. In most cases, we have found that survey or questionnaire-based data is incomplete at best and completely inaccurate at worst.
- Ability to immediately take remediating actions rather than waiting months after the assessment to deploy the solutions necessary to remediate anything discovered.
Original content can be found at Verve Industrial.