As cyber adversaries that target industrial facilities continuously pick apart weaknesses in operational technology (OT) environments to orchestrate their attacks, the need grows by the day for enterprises to evolve their OT vulnerability management practices.
While more than 91% of organizations include on-premises IT infrastructure assets in their existing or planned vulnerability management program, only 23% do the same for OT assets. This lag is not necessarily from any kind of failing by industrial organizations, but instead can be partially explained by the unique challenges of both finding and remediating vulnerabilities in OT environments.
Why Are OT Environments More Vulnerable to Risk?
Managing vulnerabilities in OT environments is challenging for a number of reasons. Consider these realities:
- Active scanning can be very disruptive to OT environments.
- Many OT and ICS systems have exceedingly long patch cycles.
- Downtime tolerance is slim to none for OT systems.
- Legacy and fit-for-purpose assets are entrenched.
- Remediation of many OT vulnerabilities is highly manual and depends on vendor action/approval.
While many industrial organizations have made recent inroads in regularly assessing for and identifying OT vulnerabilities, these challenges have made it difficult for them to push beyond vulnerability assessment into full-cycle vulnerability management. It can be daunting to overcome these challenges, but there are several steps that organizations can take to get started in maturing their OT vulnerability management program.
To that end, we are introducing a new series of blogs to walk you through the early stages of the process. We will begin with one of the most foundational elements of an effective vulnerability management program: establishing asset inventories and asset visibility.
OT Vulnerability Management Starts with Asset Discovery
Organizations cannot fix flaws in OT assets they do not know they are exposed to. Therefore, every effective OT vulnerability management program starts with discovery and asset visibility. Organizations need to conduct an asset discovery process that not only identifies assets in the environment, but also classifies them by a range of attributes, maps their connections, and tracks their configuration state.
Ideally, this asset inventory should be continuously updated. Organizations that can build out automated mechanisms to gain continuous visibility into the state of their asset inventory greatly improve the sustainability of their OT vulnerability management program.
It is important to note that many IT asset visibility tools do not translate well to the OT environment. This means that organizations may need to take an approach to asset visibility specific to OT environments to achieve the level of visibility into assets, vulnerabilities, and risk that corresponds to what their security team may be used to seeing across the IT asset portfolio.
To get this right, you must establish a plan that determines data collection requirements through a structured approach like Dragos’s collection management framework. A good plan will lay the foundation for establishing an automated mechanism for continuously updating the inventory and establishing ongoing OT asset visibility.
Learn More About Vulnerability Management in Industrial Environments
In our next blog in the series, we will explore how OT vulnerability prioritization is different than in IT.
If you want to get a sneak peek at this coming topic and the rest of the steps for getting started tackling OT vulnerability management, download the Dragos whitepaper: Understanding the Challenges of OT Vulnerability Management and How to Tackle Them.
Ready to put your insights into action?
Take the next steps and contact our team today.