a unique approach to vulnerability management in ot
TRANSCRIPT
A UNIQUE APPROACH TO
Vulnerability Management in OT
Vulnerability Management in OT
Ø “WeneedtodoavulnerabilityassessmentofourICSsystems.”Ø “WewanttointegrateourOTsystemsintoourcorporatevulnerability
managementprogram.”Ø “ThenumberofrisksinOTisescalatingdramatically.Weneedtohave
bettercontroloverthepatchingonthesesystems.”Ø “Youcan’teffectivelypatchICS,sojustfocusyoureffortsonanomalyand
threatdetection.”
Thesequoteshavecomeacrossfromprospectsandindustryanalystsrecently,andwhilethereisnomistakingthatvulnerabilityassessmentandmanagementofICS/OTisgrowinginimportance(andfrustration),ITleadersneedtounderstandtherisksinOTsystemsforproperreportingtotheC-suiteandboardsofdirectors.
OTleadersneedtoprotecttheirsystemsfromcyberthreats,especiallytheever-presentriskofransomware,butcannotaffordtointerruptproduction.And,neithergrouphasveryattractivesolutions.
ThepurposeofthiswhitepaperistoshareanalternativeapproachtovulnerabilitymanagementinOTthatwecall360-DegreeICSRiskManagement.TheuniqueconcepthasevolvedoverthecourseofadecadefromworkwithdozensofindustrialorganizationsmanagingIT-OTenvironments.
2
Defining vulnerability management
Thereareasmanydefinitionsforvulnerabilitymanagementastherearecybersecurityvendorsandstandardsbodies.Most,however,boildowntoasimilarsetofcomponents:thebusinessprocessofidentifying,evaluating,treating,andmonitoring/reportingonsoftwareinsecuritiesandmisconfigurationsofendpoints.
Ernst&Youngbreaksdownvulnerabilitymanagementintofivesteps:Prepare,Discover,Qualify,Treat,andMonitor&Report.
3
Whilesomevulnerabilitymanagementframeworkssimplifythequalifyanddiscovercomponentsintoasinglestepaseitherevaluateorprioritize,theoverallkeyisthenotionthattheprocessof“scan-patch-rescan”isrequiredtoclosethelooponremediatingidentifiedvulnerabilities.
Itisimportanttorecognizethatvulnerabilitymanagement,aspracticedintraditionalITenvironments,fitswithinamuchbroaderriskmanagementeffortwhichincludespatchmanagement,configurationmanagement,anti-malwaremanagement,networkmanagement,userandaccountmanagement,softwaremanagement,inventorymanagement,andperhapsabroaderCMDBprogram.
Vulnerabilitymanagement,asdefinedinIT,isspecificallyfocusedonidentifyingknownsoftwareinsecuritiespublishedbyvendorsorthirdparties.
Althoughvulnerabilityassessmentsmayextendtoidentifyingmisconfiguredsystemsinsomecases,itdoesnotextendtoanalyzingrisksfrompoornetworkconfigurationorACLmanagement,weakoroutdatedmalwaredefenses,lackofrobustbackups,riskfromunnecessaryornon-“vulnerable”butpotentiallyriskysoftware,pooruserandaccountmanagement,etc.Itdoesnotneedto.Theseotherriskfunctionsaremanagedbydifferentpartsoftheorganization.
AlthoughITvulnerabilitymanagementisawell-knownandpracticedprocess,itstillcontainsmanychallenges.Identifyinganorganization’sassetsisoftencomplex.Reachingdevicestoscaninaworldofincreasingmobileworkforceistechnicallydifficult.
Thehandofffromassessmenttopatchingandtreatmentcontainsproceduralgapsinownershipandtechnology,leavingthelast10-20%ofdevicesunpatched.Prioritizingwhichpatchesandvulnerabilitiesaremostcriticalistimeconsumingandfrustrating.
4
CHALLENGES OF EFFECTIVE VULNERABILITY MANAGEMENT IN ICS
Ø Arobustandaccurateassetinventoryisthefoundationofanysuccessfulvulnerabilitymanagementprogram,butitiscommonlyincompleteinICSenvironmentsbecauserunningregularNMAPorotherinventoryscanscausesdevicefailuresandnetworksareoftensegmentedandsub-segmented.
Ø ThecoreITvulnerabilityassessmenttool,thescan,isriskyinaworldofolder,sensitive,embeddedOTdevices.Asaresult,vulnerabilityscansareeitherdoneslowly,infrequently,andonlyontargeteddevicesornotcompletedatall.
Ø Themostcommontreatmentorremediationforvulnerabilities,rapidpatching,isalsonotalwaysfeasibleinICS.Insomecases,patchingcreatesoperationalrisks.Inmanycases,OTdevicescannotberebootedregularlyorrequirehardwareupdatesorcompletecontrolsystemupgrades.Asaresult,patchingisdelayedornotcompletedatall.
Ø Thewayofprioritizingremediationactions– risk-basedassessment–requiresadifferentsetofmethodologiesinOT/ICSgiventhedifferentassetfunctionalities,agesofdevices,andthecompensatingcontrolsputinplaceduetothelackofrobustpatchingandconfigurationmanagement.
Ø Finally,thereisthebroaderchallengethatarobustriskmanagementprogramdoesnotexistorfitintomostICSenvironments.AssetmanagementorITSystemsManagementaresocommoninIT,butarenotpresentinOT,noraretheresourcestomanageit.
5
VULNERABILITY MANAGEMENT: aspirations & Gaps
FromourworkwithhundredsofOTleaders,operators,CISOsandITleaders,aswellasdozensofC-suitemembersofindustrialcompanies,theneedhasbecomeclear.Theywantavulnerabilitymanagementprogramthataccomplishesthefollowing:
Ø Gathersarobustinventorywithouttheneedforscanningorexpensivehardwaredeploymentsintoremoteandsub-segmentednetworks
Ø IdentifiesknownvulnerabilitiesacrossallITandembeddedOTassetswithoutriskingoperationalintegrity
Ø Happensinnearreal-time withregularlyrefresheddata
Ø Integratesvulnerabilitieswithallriskspresentintheenvironment–fromusersandaccountstounnecessary/riskysoftwaretomisconfigurationstoweaknetworkrules,failedbackups,missingAVsignatures,etc.– andprovidesatrueriskassessmentofeachassetintheenvironment
Ø Providesaremediationsolutiontorapidlytreatrisksfromasingleplatformtieddirectlytotheassessmentfunctionsotherearenogaps
Ø Makesitefficient,fast,andsafeforallvendorequipmentintheenvironment
Ø Providesstandardizedreportingtodemonstrateprogresstosuperiorsinaconsistentformat
6
ThetwomostcommonapproachestoICSvulnerabilitymanagementlackmanyofthesekeyfeatures.
1) TraditionalITscanningtoolsadaptedforuseinOT/ICS
BecausescanningisriskyinOTenvironments,organizationsadoptanapproachtoscanonlyonaninfrequentbasis– oftenwhiletheplantisoffline.TheyuseamanualapproachtotargetspecificindividualIPaddresses(ratherthanarange)toprotectthesensitiveembeddedOTdevices.
Thescanissettoalowerlevelofintensitytoreducetheimpactonoperations.Forembeddeddevices,theymaintainamanualinventoryofassetsandfirmwareandannually,oratsomeotherinterval,reviewthelistagainstdatabasessuchastheNationalVulnerabilityDatabase.Thisapproachisslow,manual,shallow,andmissesmanyvulnerabilitiesbetweenscans.
TheITscanningtoolapproachtakesdataandpivotstotheuseofeithermanualoramanagedautomatedtoolsuchasWSUStodeploythepatches.Insomecases,thepatchesaretestedpriortodeployment,buttheremediationandassessmentprocessesareonlylinkedataprocedurallevel,ratherthanbeingaccessibleinoneplace.
Thefirstapproachonlyfocusesonpatch-levelrisks.Itdoesnotcovermismanagedusersandaccounts,softwarethatshouldnotbepresentinthefirstplace,networkdesignconfigurationerrors,failedbackupstatus,etc.Inshort,itdoesnotdeliverontheobjectivesdescribedabove.
7
2) PassivemonitoringandpacketinspectiontoidentifyOSversionsandmissingpatches
Thesecondcommonapproachisdeployingtapsorspanportsthroughoutthenetworktocapturenetworktrafficpassively,thenconductingpacketanalysistoinferthefirmwareandOSversionsofthedevicesonthenetwork.
Thisapproachavoidstherisksofscanningandismoremodernbecauseavulnerabilitycanbeidentifiedwheneveradevicecommunicatesonthenetworkifthetoolseesthepacketandcandecodeit.
However,passiveapproacheshavesignificantdrawbacks:
Ø Expensiveandtime-consumingdeployment:Whileapassivelistenerisveryeasytodeployatthetopofanetworkonmodernnetworkequipment,thereislimitedvisibilityintodeepersegmentednetworks.Gainingdeepervisibilityintothenetworkrequiresadditionaltapsinfrontofswitchesandroutersrootedinthenetwork.Addingtapscostsintothemillionsofdollarsforlaborandhardware,anditrequiresthemanagementofadditionalhardware.
Ø Incompletecoverage: Passivelisteningtoolsonlypickupassetsitcan"hear",meaningifyoudon’thaveyourassetcommunicatingthroughaspecific"listener",itspresencewillnotbedetectedandexcludedfromyourassetinventory.Seriallyconnectedrelays,forexample,arehighlyunlikelytobeincludedinyourlistofassets.
8
Ø Limiteddetailondataandcharacteristics: Passiveanomalylisteningprovidescontentonwhatistransmitted,whichlimitsthevisibilityofthedeepinformationneededfortrueriskperspectiveonanOTasset.
Ø Inabilitytoact: Itisvaluabletoidentifythatsystemsareworkingandreceivefeedbackifanassetisatrisk.Butit'snotenoughtoidentifythevulnerabilityifyoucannotmanageit. Analertisjustthat– awarning.Takingactiontoremediateisimpossiblewithpassiveanomalydetectiontools.
9
PassivetoolsdooftengetOSandfirmware,whentransmitted,butitemssuchasapplicationsoftwareversions,verifiedpatchstatus,useraccounts,presenceofcompensatingcontrolssuchaswhitelisting,backupstatus,misconfigurationsofsettings,etc.arenottypicallytransmittedandarethereforemissedbypassivelisteningtechniques.Thisisnotasurprisesincepassivelisteningtoolswereinitiallydesignedtolistenandbaseline.
Anyinventoryorendpointcharacteristicsgleanedarejustahappybi-productandnotactuallyanintendedattemptatdevelopingacomprehensiveendpointprofile.
360-Degree risk management
AnAlternativeOT/ICSVulnerabilityManagementApproach:Endpoint-Based360-DegreeRiskManagement
Overthepastdecade,wehaveworkedwithclientstodefineanalternativeapproachtothosementioned.Onethataddressestheaboveconcernsandneeds.OnethatprovidesapracticalsolutiontothesensitiveOTdevices.Andonethatfillsthegapsin“securitymanagement”leftunfilledinOTenvironments.WecallthisapproachEndpoint-Based360-DegreeRiskManagement.
“Endpoint”becauseitgathersdatadirectlyfromtheendpoints(includingIT-type,networking,aswellasembeddedOTdevices).“360-degree”becauseitlooksatrisksfromallangles– device,network,compensatingcontrols,operations,etc.“Riskmanagement”becauseitintegratesboththeidentificationofrisks,aswellastreatmentandremediationinasinglemanagementplatform.
KeyFeaturesofEndpoint-Based360-DegreeRiskManagement:
Ø RobustIT-OTassetinventory: Aswithallsuccessfulprograms,thisalternativebeginswithrobustassetvisibility.Asopposedtoscan-basedorpassiveapproaches,thisendpoint-basedapproachleveragessoftwaretogatherinformationdirectlyfromassetswithouttheneedforscanningonrelyingontrafficanalysis.Itleveragesanagentandagentlessarchitecture,proveninthefieldforoveradozenyearsoneverybrandofOEMequipment,togatherinformationdirectlyfromtheendpoint,allowingfordepthofvisibilitythroughsegmentednetworks,deepintothebackplanesofOTdeviceswithouthardwareorriskyscanning.
10
Ø Gatherdetailedvulnerabilityinsightwithoutscanningdevices:Becauseofthearchitecture,thisapproachgathersthenecessaryinformationtoprovidearobustvulnerabilityassessmentonalldevicesandsoftwareinstalledonthedevice– notjusttheOSwhichmaybepickeduponthewire.ItprovidesadetailedpictureofCVEsandgathersthe360-degreeriskinformationmissinginOTenvironments.Thisincludesitemssuchasdormantormisconfigureduseraccounts,fullsoftwareinventoriestoidentifyunnecessaryorriskysoftware,fullnetworkconfigurations,andACLstoidentifypoorlydesignedsegmentation,out-of-dateantivirussignatures,gapsinbackups,etc.
Ø Prioritized360-degreeriskassessment:InIT,vulnerabilitymanagementisasingleaspectofoverallriskmanagement.Vulnerabilitymanagement,togetherwithnetworkandperimetermanagement,userandaccountmanagement,patchmanagement,systemhealth,configurationmanagement,etc.makeupoverallriskmanagement.
11
Theendpoint360-degreeapproachaddressestheOTsecuritymanagementgapbyintegratingallrisksintoasingledatabase.ThisenablesthecreationofatrueriskscoreofanassetthatconsiderstheCVEs,CVSS,andtherelativeimportanceoftheassetforoperations,thelocationinthenetworktounderstandaccessibilityrisk,theavailabilityofcompensatingcontrols,etc.Itallowsfortrueprioritizationtomaketreatmentandremediationmoreefficient,especiallyinenvironmentswhereeveryvulnerabilitycannotbepatched.
Ø Integratedtreatment(orremediation):Thecorearchitectureofthisalternativeapproachmeansthatthepatching,configurationhardening,anduseraccountmanagementnecessarytotreatrisksisbuiltintothesameplatformastheassessmentfunction.Userseasilypivotdirectlyfromariskidentifiedonaspecificendpoint,toidentifytheappropriatepatchorconfigurationchange,toitsautomateddeployment,allfromthesameplatform.
12
Inthisexample,avulnerabilitymanagementdashboarddisplayingover35,000totalpatcheswasfilteredtoshowcriticalassets(deemedbyoperationstobecriticaltosafeoperations)withacriticalrisk(categorizedbytheNVD)thatfailedtheirrecentbackupanddonothavewhitelistinginlockdownmode.
MovingpasthundredsoreventhousandsofmissingpatchesandvulnerabilitiestofocusonthosewithpotentialoperationalimpactisahugeimprovementinaddressingriskreductionandallowsOTteamstodevotetheirresourcestothemostcriticalrisksandassets.
13
Ø Robustreal-timereporting:Thegoalofanyvulnerabilitymanagementprogramistorapidlydemonstratesignificantimprovementinrisk.Usersmustbeabletoreportandprovidethisinnearreal-time.Thisalternativeapproachprovidesreal-timevisibilitytorisksandtreatmentactionswithoutthegapsthatoccurwhenassessmentandtreatmentareheldwithindifferentplatformslinedbyathirdticketingsystem.Thereportingfunctiondemonstratesthespeedwithwhichvulnerabilitiesareseen,treated,andconfirmedasresolved.
7Benefitsto360-DegreeRiskManagement:
1. Rapidandlowcost/touchdeployment: Negatingthedeploymentofhardwareformonitoringofnetworktraffic,thesolutiondeploysindaysacrossdozensofsites.Itisaccomplishedremotely,whichisessentialforremoteproductivity.
2. FullITandOTassetinventorywithnoscanningrequired:ThisarchitectureallowsustoidentifyandinventoryeasilyaccessibleIT-typeequipment(suchasdomaincontrollers…
Importantly,itaddedthefunctionalitynecessaryforOT/ICSenvironmentsofplacingcontrolovertheautomatedactioninthehandsoflocalplantengineeringpersonnelwhounderstandtheirsystemsbest.Thisiswhatwerefertoasthe“ThinkGlobal:ActLocal”architecture.Globalanalysisandtreatmentdesign,withlocalcontroloveractions.
14
3. Fastertimetoreportingandidentification:Assetinventories,vulnerabilitiesandtreatmentsupdateinnearreal-time,soqueryinganassetbaseisinstantaneousandthedataisnew,relevantandfresh.Comparedtoaperiodicscanorannualvulnerabilityassessmenteffort,thisapproachprovidescurrentriskstatusforallassets,anydayoftheweek/month/yearwithcurrentdatafromboththeassetandNVD.
4. Betterriskassessmentthanjustvulnerabilitiesandfasterprioritization:Thecompleteassetviewprovidestheinsightanddataneededtomakeinformeddecisionsinlinewithanoverallriskmanagementviewpoint,asopposedtofocusingonformalvulnerabilities.
5. Fastertimetoremediationwithintegratedremediationactions:Thisapproachcreatesasinglesourceoftruthbetweenassessandremediate/treat,meaningthetechnologyisdeployedquickly.Insightintoriskmarkersareimmediatelyvisibleonceanagentisontheasset.Mostimportantly,thosesameagentsperformtherequiredactionstoremediateriskontheendpoints.
…fileservers,HMIs,andengineeringstations),aswellasthemoretraditional,andusuallymoreprolificpureOTassets(suchasrelays,PLCsandcontrollers).Ourabilitiesextendtofirstandsecondstageserially-connecteddeviceslikeprotectiverelayswhichareneverscannedandnevertransmitthroughapassivelisteningdevice.
15
6. ScaledanalysiswithOToperatorcontrol:360-degreeriskmanagementprovideshighlydetailedinformationforacentralteamtoanalyze,prioritizeandactupon.Onceanactionisdeemednecessary(i.e.deployapatchoruninstallunwantedorriskysoftware),thecentralteamsendsanautomated,centralized,highlyaccuratecommandtoallassetsacrossthefleetinscope.Thecommandcanhaveaflagaddedto“makeitanoffer”requiringalocalOTstaffmembertologintothetargetconsoletoaccepttheaction.
7. ProvensafeforoveradecadeonallOEMequipmentbrandsandoperationalsettings: PerhapsthemostimportantelementofanyICS/OTvulnerabilitymanagementapproachisthatisdoesnotcauserisktooperations.Thisapproachwasbuiltthroughpartnershipwithclientsinindustriesrangingfrompower,oil&gas,watertreatment,pharmaceuticals,discretemanufacturing,CPGmanufacturingandbuildingcontrols.IthasbeentestedonOEMequipmentfromeverymajorvendorwithnonegativeoperationalimpact.
Thisglobalresearch,analysisandactioncoupledwithlastmileOToversightishowtoscalescarcesecurityresourcesacrossmanydistributedOTassetssafelyandaccurately.
9
INTERESTED INlearningmore?
SpeakwithoneofourOTcybersecurityexpertsaboutyourriskmanagementneeds
© 2020 Verve Industrial Protection. All Rights Reserved.
Vulnerabilitymanagementonitsownisshort-sightedanddifficulttoexecuteinOT.ThetruepathtoOTriskreductionisadoptinganewwayofthinkingandscalingtechnologytoenableit.360-degreeriskmanagementprovidestheinsight,contextandtoolsettoidentify,contextualizeandprioritizeactions.
Thisnewapproachenablesfleet-widevisibilitytoanever-dwindlingsupplyofriskandsecurityexpertsbutextendslastmileassetoversighttoboots-on-the-groundOTstafftoextendtheanalysisoftheaction.ThisishowleadingindustrialcompaniesmakemeaningfulandprofoundimprovementsinOTriskreduction.