A vulnerability is a weakness in a computing resource that can be exploited to cause harm. Mitigating vulnerability risk is accomplished through an effective vulnerability management program that includes vulnerability monitoring, vulnerability risk assessment, and vulnerability mitigation elements.
For effective vulnerability monitoring, you must know:
Only with this information—and only if it is of good quality—can you effectively assess the risk of a vulnerability, decide what mitigation actions to take on what assets, and finally, execute those actions.
Vulnerability monitoring and assessment are particularly challenging to execute well in operational technology (OT) environments because of the large number of disparate assets. Effective vulnerability mitigation actions are only as good as the result of vulnerability monitoring and assessment. If you do not have an accurate asset database, including an accurate software inventory for those assets, you cannot make sound mitigation decisions and your vulnerability management effort will be ineffective.
In control system and OT environments, the criticality of effective vulnerability and patch management is reflected in standards such as NERC CIP-007 (System Security Management), NERC CIP-010 (Configuration Change Management and Vulnerability Assessments), NIST SP 800-40 Rev. 3 (Guide to Enterprise Patch Management Technologies), and ISA/IEC TR 62443-2-3 (Patch Management in the Industrial Automation and Control System Environment). These standards include the requirement to document your vulnerability management efforts for auditing purposes.
There are two leading sources for cyber vulnerability information: NIST and NCCIC. NIST maintains the National Vulnerability Database (NVD) comprised of Common Vulnerabilities and Exposures (CVEs) sourced from MITRE’s CVE List.
NCCIC, National Cybersecurity and Communications Integration Center Industrial Control Systems, oversees the Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) which publishes alerts and advisories. ICS-CERT advisories provide timely information about current security issues, vulnerabilities, and exploits, while alerts notify critical infrastructure operators about current cyber threats or activity that may impact critical infrastructure systems and networks.
A third source of vulnerability information is OEMs, who oftentimes only publish vulnerability information to their customer portal and not for the general public. This creates the manual task of reviewing these websites periodically for updates.
Control System and OT environments present several challenges for effective asset vulnerability management:
Patch management should prioritize a patch based on the severity of the vulnerability addressed. In most cases, severity ratings are based on the Common Vulnerability Scoring System (CVSS).
A CVSS score of:
NERC CIP requires that security related patches be assessed within 35 days of their release. Beyond that, time-frames for patch implementation vary depending on industry, process, regulation, and experience. However, a responsible OT patching program would specify time frames for patch application based on vulnerability severity, such as ASAP for emergency vulnerabilities, one week for high impact vulnerabilities, three months for medium impact vulnerabilities, and at six months or the next available scheduled outage for low impact vulnerabilities.
The patch management responsibilities for the OT team are many: they need to continually monitor vulnerability information across multiple sources, determine which vulnerabilities are impactful to their specific environment, which of their assets require which patches to fix specific vulnerabilities, patch those vulnerabilities, and then provide confirmation that the patches have been successfully deployed across the asset base.
With such a critical set of responsibilities, it is clear that you, as an OT team member, must not only have a sound understanding of vulnerability severity and patch availability; you must also know your assets.
Knowing your assets is at the core of any good vulnerability management program. This includes knowing their current patch levels and exposure so you can properly prioritize patching and remediation efforts. Doing this successfully requires the right combination of people, process and technology. The more this process can be automated, the more efficient and effective the people part of the equation can be.
When evaluating technologies to enable your people and process, make sure your vendor can provide you with complete, automated asset inventory data collection, real-time vulnerability monitoring, vendor-approved patch data, and a security rating for each patch. This lets your team visualize precisely which assets are missing vendor-approved patches or have open vulnerabilities published in vendor-specific feeds to make smarter patching and mitigation decisions.
If you’d like to learn more about how to build a vulnerability & patch management program that scales, join our session with FoxGuard Solutions on June 9 at 11 AM EDT.
Further more, by integrating threat intelligence feeds and contextual business information, organizations can reduce vulnerability lists by more than 97 percent, focusing in on those that truly pose risk to the organization, based on OT asset purpose and context to the operations. In our complex OT environments, not every “Critical” or “High” CVSS rating poses a threat in your specific context – and no one has the time or the resources to address every vulnerability.
Industrial Defender correlates traditional vulnerability severity scores (e.g. CVSS), external threat intelligence, and the business importance of assets (with respect to their purpose and context of the organization) to calculate a weighted “Priority Score.” This score creates a clear, actionable plan, focusing your efforts on remediations that will significantly enhance the protection of your operations.
If you’d like to learn more about risk-based vulnerability management, please visit: https://www.industrialdefender.com/blog/how-to-overcome-vulnerability-patch-management-challenges-in-ot
By means of identifying and fixing frailty, vulnerability management contributes greatly to the security of systems. It includes tracking weaknesses, estimating their potentiality of being harmful and dealing with them, particularly in supervising factories, power plants and critical infrastructures.
The reason why managing vulnerabilities becomes difficult in this case is that there are many devices employed by different vendors within these systems. Vulnerability scanning can interfere with operations especially when it comes to facilities instead of office networks which are covered by traditional security tools. In addition, ensuring that all components are patched requires a lot of manual work.
The Common Vulnerability Scoring System (CVSS) is a framework used to rate the severity of security vulnerabilities. CVSS assigns scores from 0 to 10, where 10 indicates the highest severity. The scoring system uses three metric groups: Base, Temporal, and Environmental. Base metrics evaluate the intrinsic characteristics of a vulnerability, Temporal metrics account for factors that change over time, and Environmental metrics consider the specific impact on an individual organization. By combining these metrics, CVSS provides a nuanced and flexible approach to prioritizing cybersecurity threats, aiding organizations in managing their security posture effectively.
CVSS scores provide a general view of the severity of vulnerabilities without consideration for the specific context of an organization. They do not account for the particular systems, data, or assets at risk in different environments. Threat intelligence is another source of information that can help with prioritizing patching. Threat intelligence highlights which vulnerabilities are actively exploited. For further prioritization, adding business context helps in understanding the potential impact on particular systems or data, allowing organizations to focus their efforts where they are most needed and ensuring that security measures align with business objectives and current threat landscapes. For example, two devices might be affected by the same vulnerability, but one could be in a highly critical operational part of the environment, whereas the other might be a less critical workstation used for routine tasks.
