Targeted vulnerability analysis in OT
Previous articles have covered the importance of creating and maintaining a thorough inventory of all OT production endpoints. That’s an important first step with multiple benefits, including what’s generally the next logical step: efficient vulnerability management.
A 2020 study by analyst firm techconsult found that just under half of all companies in Germany were affected by a cyberattack in the past
year. About 57% of these companies also suffered a disruption in production.
Knowing and looking for network vulnerabilities is clearly important. But given the scale of the threats and the range of affected systems, it’s even more important to do it efficiently. That means using methods that simultaneously minimize the impact on already busy IT/OT staff, and maximize the level of protection by using automated scanning whenever possible.
For this purpose, it is important to categorize vulnerabilities according to various criteria:
There are multiple vetted independent and governmental sources of information about current cyberthreats. In the U.S., NIST compiles and maintains a list of Current Vulnerabilities and Exploits (CVEs). In Germany, the German Federal Office for Information Security (BSI) and the associated Alliance for Cyber Security. (ACS - Alliance for Cyber Security - ACS (allianz-fuer-cybersicherheit.de) regularly report current threats as well as important security tips and tricks . For example, in a recent report covering the top 10 threats in OT, the infiltration of malware via removable media was at the top of the list. It called attention to the fact that this otherwise avoidable vulnerability might not be identified in a routine security evaluation. The point is to take a broad view when assessing the potential risks to your specific IT landscape.
The next step is to identify the specific vulnerabilities affecting your network endpoints. This is accomplished by using CVEs and other standard sources along with automated scanning methods such as the baramundi Vulnerability Scanner. CVEs are classified according to their criticality on a scale of 0 (“no threat") to 10 (“most severe threat"). This includes threats to the operating system and other installed software. It is advisable to address the most critical vulnerabilities first, of course.
Another vulnerability that should not be underestimated comes from available but uninstalled patches from Microsoft and other software vendors. It’s important to determine the patch status of your current environment on an ongoing basis and to apply updates as quickly as possible. This may be a standard procedure for Windows devices in the office network, but for programmable logic controllers in OT networks it gets more complicated: Firmware updates may be an important way to counteract vulnerabilities, but a change in device firmware can severely disrupt production. In this case, it is advisable to talk to the device manufacturer or the company maintenance department if you know that a security-related firmware update is missing. Sometimes it’s necessary to isolate such devices to reduce their threat exposure until a fix can be implemented when disruptions can be minimized.
The "human vulnerability" is also listed as a threat by the BSI and ranks third among its top risks. Only constant training, awareness campaigns and the most granular security settings can help here.
There are many different types of vulnerabilities in production networks requiring multiple options to identify vulnerabilities effectively. Moreover, vulnerability management is a dynamic process that is never complete. Therefore, it is advisable to think about how an appropriate vulnerability assessment should be conducted for your OT environment. The time and effort required pays for itself. As more vulnerabilities are identified and remediated, production security and efficiency increases.