Defending critical infrastructure environments requires 360-degree visibility into asset and network vulnerabilities, which is why a vulnerability assessment is so important.
Vulnerability management teams often face difficulties in patching all of their systems on a timely basis. This is true for traditional operational technology (OT) devices such as human-machine interfaces (HMIs), programmable logic controllers (PLCs), etc. But it is also very true in sensitive information technology (IT)-like environments such as pharmaceutical labs or hospitals. Recent research says that 81% of chief information officers (CIOs) and chief information security officers (CISOs) delay patches due to operational concerns.
The resolution is typically to prioritize patches most critical to your OT environment based on risk and exploitability. But this raises two questions: How do you effectively prioritize, and what do you do with those assets that either cannot be patched or are not at the top of the priority queue?
What is an OT/ICS vulnerability assessment?
OT/industrial cybersecurity (ICS) vulnerability assessment is the process by which an organization identifies the potential gaps in its security due to software, configuration, design and user/account insecurities, and then prioritizes which of those risks poses the greatest threat to operations. In OT cybersecurity, a vulnerability is defined as a weakness that can be exploited by a threat actor or hacker to infiltrate and wreak havoc.
The key components of OT/ICS vulnerability assessment tools include:
- Comprehensive asset inventory, including all hardware, software, network configurations, device settings, user and account information, etc.
- Identification of known vulnerabilities based on published databases such as the National Institute of Standards and Technology (NIST) National Vulnerability Database, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), etc.
- Scoring risks based on asset criticality, the potential for exploit and impact, and, most importantly, the potential impact on process or safety as a result
- Prioritization of remediation to reduce the greatest risk in the least time and cost
Most organizations use various tools for patching and vulnerability management, network segmentation and management, configuration management, malware protection and access control. It is difficult to effectively address patching in these critical systems without a full view of the entire vulnerability and protection picture. Without a 360-degree view, it becomes impossible to understand the true vulnerability as well as to prioritize remediation actions.
A 360-degree asset analysis aggregates a full view of the environment into a single database and analysis tool including:
Asset technical details:
- Patch status
- Software vulnerabilities, including common vulnerabilities and exposures (CVEs), alerts, etc.
- Insecure endpoint configurations
- 100% software inventory to identify unnecessary and risky software programs
- Dormant, admin, shared and other account risks
- Password settings
- Unapproved or risky ports, services, etc.
- Network protections, such as the location of assets behind firewalls, access control lists (ACLs) enforced, etc.
- Log data on device and user behavior
Third-party tool information:
- Anti-virus signature status
- Application whitelisting control status (present, lock-down, etc.)
- Backup status
Meta-data (or internal expert knowledge):
- Operational criticality of the asset
- Location, owner, etc.
- System grouping and regulatory environment
Benefits of a vulnerability assessment for OT/ICS:
Improved efficiency and effectiveness of patch prioritization:
Looking at the CVE and common vulnerability scoring system (CVSS) score and including exploits is an incomplete picture of the risk of an asset. You need to include asset criticality. If that asset is sitting behind a data diode or has application whitelisting with a narrow application set in lockdown mode, the asset may be less at risk than one that has fewer critical vulnerabilities but has no network protection.
Efficient and effective roadmap of compensating controls:
It is not enough to prioritize patching. Effective security requires there to be a documented compensating control if deployment of critical patches is delayed. A 360-degree view allows organizations to prioritize which compensating control is most efficient and effective given the asset situation. Is whitelisting an effective option, or is the system too old to allow for agent deployment? Can you remove risky software (that was part of the IT standard build) that requires regular patching? Can you lock down firewalls more? Should you invest in additional firewalls for specific highly critical, older devices?
Automated documentation and audit:
One of the biggest challenges to vulnerability assessment is gaining visibility into what compensating controls are in place if an asset is not patched. 360-degree assessment removes the silos that separate the various controls, allowing much easier audit and documentation, whether your standard is an internally imposed NIST CSF or CIS CSC20 or a regulatory-imposed one.
Patching prioritization is important, but if you add the full view, the security of the environment increases significantly as does the efficiency of the security and IT teams.