Overcome patch, management vulnerabilities in an OT environment
Vulnerability monitoring and assessment are particularly challenging to execute well in operational technology (OT) environments because of the large number of disparate assets.
A vulnerability is a weakness in a computing resource that can be exploited to cause harm. Mitigating vulnerability risk is accomplished through an effective vulnerability management program that includes vulnerability monitoring, vulnerability risk assessment, and vulnerability mitigation elements.
For effective vulnerability monitoring, users must know:
- Exactly what computing assets you have, including their configuration details.
- What vulnerabilities are associated with those asset configurations, how they work, how difficult they are to exploit, and what damage a successful exploit can do.
This quality information can help effectively assess the risk of a vulnerability, decide what mitigation actions to take on what assets, and finally, execute those actions.
Vulnerability monitoring and assessment are particularly challenging to execute well in operational technology (OT) environments because of the large number of disparate assets. Effective vulnerability mitigation actions are only as good as the result of vulnerability monitoring and assessment. If companies do not have an accurate asset database, including an accurate software inventory for those assets, they cannot make sound mitigation decisions and vulnerability management effort will be ineffective.
In control system and OT environments, the criticality of effective vulnerability and patch management is reflected in standards such as NERC CIP-007 (System Security Management), NERC CIP-010 (Configuration Change Management and Vulnerability Assessments), NIST SP 800-40 Rev. 3 (Guide to Enterprise Patch Management Technologies), and ISA/IEC TR 62443-2-3 (Patch Management in the Industrial Automation and Control System Environment). These standards include the requirement to document vulnerability management efforts for auditing purposes.
Sources of vulnerability information
There are two leading sources for cyber vulnerability information: NIST and NCCIC. NIST maintains the National Vulnerability Database (NVD) comprised of common vulnerabilities and exposures (CVEs) sourced from MITRE’s CVE List.
NCCIC, National Cybersecurity and Communications Integration Center Industrial Control Systems, oversees the Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) which publishes alerts and advisories. ICS-CERT advisories provide timely information about current security issues, vulnerabilities, and exploits, while alerts notify critical infrastructure operators about current cyber threats or activity that may impact critical infrastructure systems and networks.
A third source of vulnerability information are original equipment manufacturers (OEMs), who oftentimes only publish vulnerability information to their customer portal and not for the general public. This creates the manual task of reviewing these websites periodically for updates.
Key OT vulnerability management challenges
Control system and OT environments present several challenges for effective asset vulnerability management:
- Production sensitivity – Existing tools typically require active scanning of your network and assets, and this increases the risk of production operation disruption.
- Design goal mismatch – Most tools have been engineered for IT devices and infrastructures rather than nonstop, production OT environments.
- Cost/feature mismatch – Solutions tend to be high-end and very expensive with more functionality than a smaller customer might require.
- Labor mismatch – Staying current with security patches requires extensive manual effort, perhaps more than you are staffed to handle properly.
- Safety concerns – In OT environments, patches may negatively affect safety, operability, or reliability if not performed correctly. Management of system change processes are critical.
- Customized mitigation – Oftentimes a vulnerability may exist, but not apply because of the way a company is using the device or a mitigation is already in place to prevent someone from exploiting the vulnerability. Mitigations are also used when a vulnerability is severe, but a patch is not available yet.
What about OT patch management?
Patch management should prioritize a patch based on the severity of the vulnerability addressed. In most cases, severity ratings are based on the common vulnerability scoring system (CVSS).
A CVSS score of:
- 9 to 10 is considered an emergency vulnerability
- 7 to 8.9 is considered a high impact vulnerability
- 4 to 6.9 is considered a moderate impact vulnerability
- 0 to 3.9 is considered a low impact vulnerability.
NERC CIP requires that security related patches be assessed within 35 days of their release. Beyond that, time-frames for patch implementation vary depending on industry, process, regulation, and experience. However, a responsible OT patching program would specify time frames for patch application based on vulnerability severity, such as ASAP for emergency vulnerabilities, one week for high impact vulnerabilities, three months for medium impact vulnerabilities, and at six months or the next available scheduled outage for low impact vulnerabilities.
The patch management responsibilities for the OT team are many: they need to continually monitor vulnerability information across multiple sources, determine which vulnerabilities are impactful to their specific environment, which of their assets require which patches to fix specific vulnerabilities, patch those vulnerabilities, and then provide confirmation that the patches have been successfully deployed across the asset base.
With such a critical set of responsibilities, it is clear OT team members must not only have a sound understanding of vulnerability severity and patch availability. They also must know their assets.
Building an effective OT vulnerability, patch management program
Asset knowledge is at the core of any good vulnerability management program. This includes knowing their current patch levels and exposure so users can properly prioritize patching and remediation efforts. Doing this successfully requires the right combination of people, process and technology. The more this process can be automated, the more efficient and effective the people part of the equation can be.
When evaluating technologies to enable people and processes, make sure the vendor can provide you with complete, automated asset inventory data collection, real-time vulnerability monitoring, vendor-approved patch data, and a security rating for each patch. This lets the team visualize precisely which assets are missing vendor-approved patches or have open vulnerabilities published in vendor-specific feeds to make smarter patching and mitigation decisions.