Vulnerability management is crucial for ensuring safety, operations, compliance, and information security in operational technology. By identifying and mitigating vulnerabilities in your OT environment, you can help to prevent disruptions to normal operations and maintain availability and reliability.
Where Does Vulnerability Management Start? Knowing Your Environment.
To kickstart effective OT vulnerability management, understanding your environment is key. It’s important for organizations to gain visibility into their systems, devices, and assets, from the edge to the core. This visibility into the environment should include relevant details about assets such as device type, manufacturer, software version, and configuration information. This data can then be used to map these assets to vulnerabilities, updates, and physical access, and keep your security and operations teams from becoming overwhelmed by the sheer volume of reported vulnerabilities.
Continuous observation and network monitoring also play a vital role in OT vulnerability management. By establishing a baseline of normal, expected behaviors, you can identify any deviations that may indicate potential vulnerabilities or compromised assets.
Working closely with the operations team to codify their knowledge of normal behaviors in each environment will significantly reduce noise and improve efficacy. Since operators know their systems better than anyone else, their knowledge and insight can be helpful in cutting through the noise of what needs to be investigated and which items are typical of the environment.
Finding Potential Vulnerabilities
Once you understand the environment(s) and assets you’re trying to protect, the next step is figuring out what you’re trying to protect them from. Identifying potential vulnerabilities requires staying up-to-date with the latest reporting resources and threat intelligence sources.
Monitor CVEs (common vulnerabilities and exposures) reported by reputable groups like CISA, and review security advisories and warnings published directly by vendors and OEMs.
The ICS Advisory Project provides several dashboard views of CISA-reported CVEs and other data to support vulnerability analysis.
Additionally, organizations can leverage tools like the CVSS (common vulnerability scoring system) and KEV (known exploited vulnerabilities) to identify and prioritize relevant vulnerabilities.
High CVSS scores can indicate threats that should be prioritized when remediating vulnerabilities, but it’s important to note that due to the unique nature of OT environments and industrial control systems (ICS), there may be no patch or remediation available for a reported vulnerability. Any vulnerabilities that appear on the KEV indicate that there have been observed, active attempts to exploit the vulnerability, which makes them a high priority in remediation.
When evaluating these scores and resources, consider associated factors like attack vector, attack complexity, the privileges required to conduct the exploit, and whether it requires user interaction.
For example, a vulnerability that requires local or physical access AND user/operator interaction for exploitation might not need to be addressed right away, especially if the affected device in your network is located in a segmented and physically secure area.
So, Which Vulnerabilities Do You Start With?
The overwhelming number of reported vulnerabilities and information sources can be daunting. Rather than getting caught up in the numbers, the best thing to do is to figure out which ones are relevant and might be exposed in your environment.
With each potential vulnerability, it’s important to ask the following questions:
- How are the network, assets, and devices configured?
- Is this network/network area segmented?
- Is there monitoring in place for these networks/systems?
- Is this environment remotely accessible?
- How is it remotely accessed? Jump host? VPN?
- Is this access managed, authenticated, and monitored? How?
- What physical security controls are in place?
- Are the assets/devices currently supported by the vendor/manufacturer?
- Is there an active maintenance contract?
- What are the policies regarding updates/changes outside of the vendor’s controls?
- Are there any existing security controls in place that could mitigate the risks?
Answering these questions will strengthen your organization’s OT vulnerability management strategy, ensuring a more secure and resilient industrial environment.
Mitigate, Manage, Monitor
Once your team has an understanding of the vulnerabilities present in your environment and has prioritized which vulnerabilities need to be addressed, the next step is determining the best way to address them.
One of the most common methods for addressing vulnerabilities is to apply a patch or update the firmware or hardware, but this isn’t always feasible in OT environments. A patch may not be available, especially if a device or software is no longer supported by the manufacturer or if applying one might void any warranty or service contracts.
As safety and reliability are top concerns in critical infrastructure, patching/updating windows are often less frequent than in enterprise environments. Applying a patch to an OT asset or system is typically more complex than patching across IT systems. Organizations often have to wait for an appropriate maintenance window and receive approval from the vendor for the patch, as it may not always be supported by an existing maintenance contract.
When a vulnerability can’t be addressed directly with a change in the asset or its configuration, other mitigating actions could be implemented such as more robust segmentation or the creation of policies or processes to better control exposure.
Maintaining visibility into each network is crucial for monitoring the effectiveness of vulnerability mitigations, but that’s only part of the battle. Continuous visibility can aid in testing the impacts of any changes to policy, processes, and configurations, as well as identify any anomalous behavior.
Getting Ahead and Staying Ahead with Visibility
Whether you’re just starting your vulnerability management and visibility journey or want to find an automated solution in understanding all the assets in your OT environment, SynSaber is ready to aid your quest. Low-hardware, software-based sensors can be deployed in even the smallest, most resource-constrained environments.
Have any questions or want to see SynSaber in action? Reach out to a member of our team for a personalized demo!