10 Steps to Robust OT Vulnerability Management
Mayank Verma, International Channel Leader, Dragos, shares key tips to kick start OT vulnerability management journey
The Middle East heavy industry sector is growing rapidly, and governments have committed to a range of programs to accelerate that growth. One such example is in the UAE where Operation 300bn has been designed to raise the sector’s contribution to GDP from US$ 36 billion to more than US$ 80 billion (AED 300 billion) by 2031. Operational technology will, naturally, play a significant role in this transition, but the threat to OT from bad actors is also on the rise.
However, regional security professionals may be unfamiliar with the highly proprietary OT environments they protect. Vendors of OT equipment traditionally install specialised hardware-software mixes that most IT admins have never seen. OT is not about patching apps, monitoring networks, hardening systems, and detecting threats. OT admins work in a world of physical equipment like pumps, valves, and sensors. Risks lie in the integrity of systems rather than data, with potential disasters being shutdowns in operations rather than lapses in compliance.
In OT, downtime is not an easy option, as production lines and nuclear reactors do not have the option to switch to using pencil and paper. Active scanning can also be impractical, as it can cause disruption to ICS operations. And the one- to five-year operations cycles associated with industrial control systems mean a vulnerability might have to be tolerated for long periods, even if a patch is available. To make matters worse, the entrenched nature of legacy OT systems sometimes requires that newer, more attack-hardened systems be installed with many controls switched off, just so they can be compatible with older, critical systems.
To get started with OT vulnerability management, here are 10 tips.
- Tread carefully
Don’t panic when a security incident or regulatory requirement creates the need to address an ICS vulnerability. The haste of a security team in reacting to executive mandates or scrambling to fix a flaw can easily cause operational problems in an OT environment. Instead, think through risk implications to help leaders create the right mandates for resolving vulnerabilities, and create a repeatable system for making good decisions that truly lower overall risk to the business.
- Make the invisible visible
OT vulnerability management starts with an asset inventory. OT assets should be subject to a thorough discovery process that can not only identify them, but also classify them by a range of attributes, map their dependencies to other assets, and monitor their configuration state. Ideally, OT security teams should have access to tools that allow them to define this process once, and automate it, so it can be repeated without overtaxing the workforce. But many asset-visibility tools do not work well in OT environments. For example, you can’t put an agent on a programmable logic controller (PLC). Instead, organizations need an approach that is specific to OT. The guiding plan must determine data collection requirements through a structured approach and lay the foundation for a successful outcome that creates a sustainable, scalable, and efficient asset visibility program that continuously updates the inventory.
While automatic patches and updates may be out of the question in OT systems, automation can be applied to other stages of the vulnerability management cycle, such as (as mentioned) asset discovery, as well as prioritisation, configuration drift, systems backup, and recovery drills.
- Conduct periodic walkdowns
Physical verification is vital in building a robust asset inventory. Mapping high-level architectures and performing comprehensive facility walkdowns to identify hidden assets will pay dividends when it comes to deciding where to establish the first telemetries for continuous, verifiable, automated discovery.
- Document everything
This is important chiefly because much of the early days of OT vulnerability management is manual. Later, well-compiled documentation — complete with information on roles and responsibilities — can be converted into compliant, standardized workflows that are repeatable and easy to audit. For this to be possible, documentation must also detail what action was taken on any unveiled vulnerabilities.
- Prioritise vulnerabilities with OT in mind
Prioritization of vulnerabilities in an OT environment is different to approaches taken by IT security teams. In OT, factors such as operational risk and physical-world ramifications come to the fore. For example, in OT, the most connected systems — especially those connected to third parties — are likely the most at risk, followed by assets with single points of failure or those that exist as centralized systems, such as Active Directory or Windows Server Update Services (WSUS).
- Use compensating controls
Where patching is not an option because of the criticality of an OT asset, workarounds may be required. Critical OT assets are frequently insecure by design, meaning even after patches are applied, they remain vulnerable to losses of view or control through abuse of normal functions.
This means that effective OT vulnerability management programs must master the art of compensating controls — the goal should be to reduce attack surface wherever possible by hardening asset configuration, shutting down unneeded functionality, limiting the footprint and connectivity of assets, and updating the systems that can be patched that touch vulnerable system.
- Manage vendor relationships
Major vendors offer cybersecurity solutions and services such as patching and endpoint protection, but these are not a replacement for internal vulnerability management programs. Organizations need to actively manage their relationships with OT vendors to validate upgrades and mitigation measures and to document the status of vulnerabilities. Vendor consultation will also be necessary to ensure that internal steps in the vulnerability management cycle do not void support contracts or warranties.
- Change management
Considerations such as health and safety compliance mean OT assets are subject to rigid and formal change-management processes, often mandated by industry regulators. But it is also important to subject non-regulated assets to such standards to avoid change processes that lead to operational impact.
- Acquire the right skills
Outside of automatable processes within the vulnerability management program, tasks such as coordination with asset owners, updating of systems, and implementation of compensating controls, require skills and leadership. Acquiring these human assets is key to success in OT vulnerability management.
The secure future
According to a 2020 study from SANS Institute, while more than 91% of organizations include on-premises information technology (IT) infrastructure assets in their existing or planned vulnerability program, just 23% do the same for their OT assets. Organizations must come into balance with proven, documented OT vulnerability management practices to not only protect themselves from these threats but also come into compliance with a growing base of regulations meant to address them.
Taking these 10 steps will build a foundation for a future in which the risks of OT are understood. Operational resilience requires compromise, but with the right practices and skills in place, a wellspring of opportunities can arise.