Vulnerability Management – Considerations in OT/ICS Vulnerability Assessments

Identifying and remediating vulnerabilities are paramount to a successful cybersecurity strategy. While vulnerability disclosures, CVEs, and CVSS scores are a good place to start when addressing security gaps, neither offers a complete picture or effective assessment for OT/ICS environments. After ten years of vulnerability assessments, industrial cybersecurity firm Verve has observed several common gaps and offers their top five considerations every OT/ICS environment can benefit from understanding. Verve frequently reinforces similar topics found in WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities; this post is no different. Specifically, Verve highlights why it is crucial to take a comprehensive 360-degree view of risks, especially when dealing with lots of insecure-by-design OT/ICS components that will likely never be patched. This 360-degree view goes far beyond assessing the environment against traditional CVEs and includes things like assessing insecure configurations and determining the presence and effectiveness of compensating controls. If it seems the vulnerability assessment discussion always comes back to assets, indeed it typically does. Verve discusses the importance of a deep asset inventory and establishing asset criticality. Likewise, their experiences reinforce the importance of technology to streamline the aforementioned asset management processes over manual processes that tend to miss key details. Finally, Verve considers remediation the mark of success for the vulnerability assessment process. During remediation, Verve recommends a think global: act local approach. While it is important to assess the environment holistically for consistency and continuity, many industrial systems have been disrupted by attempts to remediate vulnerabilities remotely. Therefore, a local/onsite remediation approach is likely necessary to maintain maximum safety and stability of the systems. Like many cybersecurity programs, vulnerability assessments are not one-and-done, they are a continual and dynamic rinse-and-repeat process. Likewise, as components and configurations are added or removed in the environment, vulnerability assessments should be performed prior to implementing any changes. Read more about OT/ICS vulnerability assessments at Verve.