Taking digital OT and cybersecurity assessment to the next level
Digital OT risk mitigation is an iterative process that requires practitioners to ask themselves: What are the most efficient risk mitigation measures that will achieve the most effective risk mitigation for a particular plant, process or entire production facility?
Ben Reich, Chief Architect at OTORIO , one of the leading providers of OT Security, explains the aspects and processes of modern vulnerability management:
Ben Reich, Chief Architect at OTORIO
However, as soon as the risk mitigation measures are implemented and an acceptable residual risk remains, there is still more to be done. The reason for this is that the risk mitigation process identifies additional risks and gaps that are part of the newly introduced “acceptable” residual risk. This is an ongoing process because it allows operations and OT security teams to constantly focus on the vulnerabilities that attackers are most likely to exploit to cause as much damage to an organization as possible. Only by repeatedly performing this risk assessment loop can companies achieve their business resilience with a limited amount of resources.
Objectives of the situation assessment
The main objective of the evaluation process is to address the vulnerabilities with the right priority. This post is about exploring the nature of the vulnerabilities, the way they should be assessed, and their application to digital OT security.
The NIST (National Institute of Standards and Technology) defines a vulnerability as follows: “A vulnerability in the computational logic (eg code) of software and hardware components that, if exploited, leads to a negative impact on confidentiality, integrity or availability.
Fixing the vulnerabilities in this context usually involves changes to the code, but may also involve changes to the specification or even the abolition of the specification (for example, the complete removal of the affected protocols or functions).“
Vulnerabilities are known flaws in the security situation of a company. Their remediation may include remedial measures such as updating a software version, disabling a communication protocol, or updating a password.
The relationship between asset inventory and OT vulnerabilities
The creation of an accurate, contextual and detailed inventory of the facilities is the first step in the development of an effective procedure for the analysis of OT vulnerabilities. The inventory should contain software and version data, plant connections, status and management information (for example, owner, operational role, function). An up-to-date and accurate inventory reflects various aspects of the plant condition.
After a first inventory, the vulnerabilities can be linked to the corresponding systems. This assignment should take place via an automated process, especially with a large number of plants. For this purpose, an algorithm must be created and used that can link semi-structured vulnerability data to systems in the network. NIST’s Common Vulnerabilities and Exposures (CVE) database currently contains about 170,000 known IT and OT vulnerabilities, making it an important source of information. This number and the constant introduction of new vulnerabilities illustrate the extent and the need to automate their identification.
Sources for vulnerability definitions
When evaluating vulnerabilities, the severity of each individual vulnerability is quantified using a vulnerability index. A standard method for assessing vulnerabilities is NIST’s Common Vulnerability Scoring System (CVSS), an industry standard that assesses how easily a vulnerability can be exploited and what impact this can have on confidentiality, integrity and availability. These three factors, also known as “CIA”, are also variables that measure the potential severity of a threat.
However, common vulnerabilities, i.e. defined common vulnerabilities, alone are not sufficient to determine the vulnerability of a particular asset. Another source for determining is the internal policy of an enterprise. For example, if such a policy dictates that passwords of medium strength are a weak point, then this must be taken into account when calculating the vulnerability of the asset. Company-specific security flaws are the primary way for practitioners to consider policies as a factor in assessing vulnerabilities.
Industry standards and best practices are also important sources of vulnerabilities that contribute to risk. Examples of industry standards are ISA/IEC 62443 in Europe and NERC CIP in North America. Failure to follow best practices can lead to problems such as a permissible segmentation configuration, the absence of EDR agents, and unjustified communication between IT and OT areas on the network. These must be included in an all-encompassing vulnerability database, where they can be modified by professionals as industry standards and best practices evolve.
Evaluation of vulnerabilities
Practitioners should evaluate organization-specific vulnerabilities using the CVSS system and put them on the same scale as general vulnerabilities. The vulnerability database should be flexible enough for the practitioner to influence the vulnerability assessment based on the company policies. Since every plant condition can be a weak point, it is advisable to use an algorithm that applies the company guidelines to all plant conditions.
Therefore, the basis for making the right decisions about the security situation is the consistent use of a vulnerability database, in which all vulnerabilities are evaluated according to a standard method. This allows a company to prioritize mitigation based on risk.
Adaptation of vulnerability and risk calculation for OT environments
Companies have repeatedly heard that confidentiality, data integrity and availability do not adequately reflect their concerns about OT environments. Instead, the OT KPIs must reflect parameters such as security and business continuity.
While this is a valid point, there are three reasons why the discussion of OT vulnerabilities revolves around these definitions:
- The changes in the OT KPIs related to cybersecurity are the result of the “impacts” mentioned above (i.e. confidentiality, integrity, availability).
- Since the vulnerabilities are focused on digital assets, they must be measured through the prism of cybersecurity industry standards.
- It makes the evaluation of all vulnerabilities on a single scale much less labor-intensive.
This logic does not preclude a reference to OT KPIs in the risk model. The risk model takes into account OT KPIs as a result of confidentiality, integrity and availability. This is done through an assignment process, which in turn represents a separate topic.
Vulnerabilities are one of the four risk components and an important factor in posture analysis. A major challenge is the development and maintenance of a vulnerability database that can be applied to plants in order to make decisions about the prioritization of remedial measures.
The basis for every good evaluation is an appropriate assessment of the weak points. This is a process that includes several steps:
- Implementation of an automated process for the creation of an accurate and detailed inventory of the plants.
- Collecting common vulnerabilities from the CVE database.
- Using company policies, best practices, and industry standards to complete the entire set of vulnerabilities.
- Review the vulnerability assessment and apply organization-specific changes, if necessary.
- Application of the vulnerabilities to the various plants.
- Use of vulnerability data in risk calculation.
- Based on the risk, determine and prioritize which vulnerabilities need to be mitigated.
The best way to evaluate vulnerabilities is to comply with the CVSS system. As a result, companies avoid having to re-evaluate all common vulnerabilities and can at the same time comply with the industry standard. Due to the scale and scale of this process, it is necessary to automate it. In this way, a company can regularly carry out a consistent and scalable assessment of the security situation, which makes it possible to compare the assessments over time and to identify trends in the security situation.