The measurement and improvement of IT security has now arrived at many companies and is being pushed forward. The question of OT security, on the other hand, is still a closed book for many companies. OTORIO explains how IT and OT security can be promoted equally and what role vulnerability management and scoring play in this.
What are the most efficient risk reduction measures that achieve the most effective risk reduction for a specific facility, process or an entire production facility? However, once the risk reduction measures are implemented and an acceptable residual risk remains, there is still more work to be done. This is because the risk mitigation process uncovers additional hazards and gaps that are part of the newly introduced “acceptable” residual risk.
This is an ongoing process as it allows operational and OT security teams to constantly focus on the vulnerabilities attackers are most likely to exploit to cause as much damage to an organization as possible. It is only by repeating this risk assessment loop that organizations can achieve business resilience with a limited amount of resources.
Objectives of the situation assessment
The main goal of the assessment process is to address the vulnerabilities with the right priority. This post looks at the nature of vulnerabilities, how they should be assessed, and their application to OT digital security.
The National Institute of Standards and Technology (NIST) defines a vulnerability as: "A vulnerability in the computational logic (eg, code) of software and hardware components that, if exploited, results in an adverse impact on confidentiality, integrity or availability. Fixing the vulnerabilities in this context usually involves changes to the code, but may also involve changes to the specification or even deprecation of the specification (e.g. removing the affected protocols or functions entirely). ”
Relationship between asset inventory and OT vulnerabilities
Creating an accurate, contextual, and detailed inventory of assets is the first step in developing an effective OT vulnerability analysis process. The inventory should include software and version dates, device connections, status, and management information (e.g., owner, operational role, function). A current and accurate inventory reflects various aspects of asset health.
After an initial inventory, the vulnerabilities can be linked to the corresponding assets. This mapping should be done through an automated process, especially with a large number of assets. This requires creating and using an algorithm that can associate semi-structured vulnerability data with assets on the network.
NIST's Common Vulnerabilities and Exposures (CVE) database currently contains around 170.000 known IT and OT vulnerabilities, making it an important source of information. This number and the constant introduction of new vulnerabilities underscores the scale and need to automate their identification.
Sources for vulnerability definitions
When evaluating vulnerabilities, the severity of each vulnerability is quantified using a vulnerability index. A standard method for evaluating vulnerabilities is NIST's Common Vulnerability Scoring System (CVSS), an industry standard that assesses how easily a vulnerability can be exploited and the impact it can have on confidentiality, integrity, and availability. These three factors (also known as "CIA" - for "confidentiality, integrity, and availability") are also variables that measure the potential severity of a threat.
However, just considering common vulnerabilities is not enough to determine how vulnerable a particular asset is. Another source of determination is a company's internal policy. For example, if such a policy dictates that medium-strength passwords constitute a vulnerability, that must be taken into account when calculating the asset's vulnerability. Enterprise-specific vulnerabilities are the primary way that practitioners can consider policy as a factor in evaluating vulnerabilities.
Industry standards and best practices are also important sources of vulnerabilities that contribute to risk. Examples of industry standards are ISA/IEC 62443 in Europe and NERC CIP in North America. Failure to follow best practices can result in issues such as allowable segmentation configuration, lack of EDR agents, and unwarranted communication between IT and OT areas in the network. These need to be entered into an overall vulnerability database where they can be modified by subject matter experts as industry standards and best practices evolve.
Assessment of vulnerabilities
Practitioners should assess company-specific vulnerabilities using the CVSS system and place them on the same scale as general vulnerabilities. The vulnerability database should be flexible enough to allow the practitioner to influence the vulnerability assessment based on company policies.
Because any asset state can represent a vulnerability, it is advisable to deploy an algorithm that applies corporate policies to all asset states. The basis for making the right decisions about the security situation is therefore the consistent use of a vulnerability database in which all vulnerabilities are evaluated according to a standard method. This allows an organization to prioritize mitigation based on risk.
Conclusion
Vulnerabilities are one of the four risk components and an important factor when analyzing the security posture. A major challenge is building and maintaining a vulnerability database that can be applied to assets to make decisions about prioritizing remediation actions.
The best way to assess vulnerabilities is to comply with the CVSS system. As a result, organizations avoid having to reassess all common vulnerabilities while maintaining industry standards. Because of the scope and scale of this process, there is a need to automate it. In this way, an organization can regularly conduct a consistent and scalable assessment of the security posture, making it possible to compare assessments over time and identify trends in the security posture.
More at Sophos.com
About OTORIO
OTORIO develops and markets the next generation of OT security and digital risk management solutions. The company combines the experience of leading government cybersecurity experts with cutting-edge digital risk management technologies to provide the highest level of protection for critical infrastructure and manufacturing industries.