馃攳
What is OT/ICS vulnerability management? Explained in 15 minutes! - YouTube
Channel: Langner Group
[1]
[Music]
[10]
understanding what ot vulnerability
[12]
management is
[14]
isn't difficult practicing is what is
[16]
difficult
[18]
so let's get the easy part out of the
[20]
way
[21]
[Music]
[27]
what is a vulnerability a vulnerability
[29]
is a system weakness
[31]
that if exploited will result in a
[33]
breach of system integrity
[35]
which could then lead to system
[37]
malfunction we are dealing with three
[39]
types of vulnerabilities
[41]
bugs that are documented as cves i'll
[44]
get to that in a second
[46]
configuration vulnerabilities such as
[48]
default passwords
[49]
and technology that is insecure by
[52]
design
[53]
don't worry i'll get back to that later
[56]
for now just consider that vulnerability
[58]
management is often times and for no
[60]
good reason
[61]
limited to dealing with cves
[64]
let's look at them first
[72]
cve is an acronym for common
[74]
vulnerabilities and exposures
[77]
it refers to a repository maintained by
[79]
the us government
[81]
where known vulnerabilities in software
[83]
and hardware products
[84]
are listed this whole effort makes up
[87]
the national vulnerability database
[89]
which you can access at nvd.nist.gov
[94]
you don't need to worry that the
[95]
national vulnerability database would be
[97]
incomplete as far as ot products are
[99]
concerned
[101]
every vulnerability worth worrying about
[103]
will end up in the nvd
[106]
check it out for example by simply doing
[108]
a search for
[109]
rockwell note that each cve affects a
[113]
generic
[114]
product usually in a specific version so
[117]
if you match your installed products be
[119]
the operating systems or firmware
[121]
versions
[122]
with the national vulnerability database
[124]
you know which vulnerabilities affect
[126]
your installed
[127]
base the remedy for pretty much all cves
[131]
is to install a security patch or a new
[134]
firmware version
[136]
in rare cases you may even have to
[138]
replace hardware
[144]
security patches make things a little
[146]
bit more complicated for microsoft
[148]
products because you may run a
[150]
vulnerable
[150]
os version but several cves have already
[153]
been
[154]
patched therefore your computer may no
[157]
longer be vulnerable for those cves
[160]
in order to figure out if that is the
[163]
case it must be determined which patches
[165]
you have installed
[166]
and which cves are mitigated by those
[169]
patches
[170]
the mitigated cves are then something
[172]
you no longer need to worry about
[175]
for practical reasons this process is
[177]
almost
[178]
impossible to execute for a human being
[180]
but is a standard function of an asset
[183]
management system
[184]
the asset management system does the nvd
[187]
downloads
[188]
the cve matching and patch info
[190]
processing automatically
[198]
[Music]
[201]
to a large extent commonplace
[203]
technologies used in ot
[205]
are insecure by design
[208]
all the widely used ot network protocols
[211]
such as
[212]
modbus profinet ethernet ip don't
[215]
support authentication and authorization
[218]
and that means once you are on the
[220]
network you can
[221]
mess with the ot devices on that network
[223]
pretty much all you want
[226]
the savvy hackers method of choice then
[228]
becomes
[229]
reading the product manual rather than
[231]
trying to identify exploitable bugs in
[234]
the firmware
[236]
this insight is of practical relevance
[238]
it means that it's often a
[240]
waste of time to fix cves in the
[242]
firmware or os of automation devices
[245]
a good example is embedded web servers
[247]
in automation products of which there
[249]
are plenty
[251]
these web servers are notorious for
[253]
buffer overflows and related crap
[256]
which can be used for infiltration
[259]
however
[259]
fixing those would be pretty much
[261]
pointless
[262]
the bottom line is before you devise
[264]
your vulnerability management strategy
[267]
consider that the biggest
[268]
vulnerabilities do not
[270]
show up as cves cves only cover a bugs
[274]
that can be patched or neutralized with
[276]
a new firmware version
[283]
[Music]
[287]
sorry to break it to you but there are
[289]
so many vulnerabilities in ot
[291]
that you will never be able to fix them
[294]
all
[295]
prioritization helps you to focus your
[297]
limited resources to
[299]
those vulnerabilities that are most
[300]
important
[302]
an average windows computer in ot has
[305]
well over a thousand vulnerabilities
[308]
how come because these boxes are only
[311]
patched anecdotally
[313]
for the vast majority of windows
[315]
installations in ot
[317]
there is no automatic patching and for a
[320]
good reason
[321]
setting aside that computers in ot often
[324]
run
[324]
24 7 and cannot be rebooted when it
[327]
wants to
[328]
a security patch is a configuration
[330]
change
[332]
and your ot application isn't
[334]
necessarily happy with that change
[336]
the vendor in question might not be
[338]
happy with that change either
[340]
and told you right away that your
[341]
warranty will be
[343]
void if you install unapproved patches
[346]
therefore installing patches updating
[349]
operating systems and updating firmware
[352]
is very costly in ot patches and new
[355]
software and firmware must be tested for
[357]
compatibility before deployment
[360]
the installation is usually only
[362]
possible during planned outage
[365]
and installation may require proximity
[367]
to the affected asset
[369]
which could involve travel
[373]
so in reality patching in ot is a
[376]
completely different game than in it
[378]
it's one of the most costly mitigation
[381]
methods
[383]
[Music]
[389]
so which vulnerabilities should you
[392]
patch
[393]
the commonly used practice is to use the
[395]
severity rating that is provided by the
[398]
national vulnerability database
[401]
cves are ranked as critical severe
[404]
medium and low most organizations only
[408]
tackle the
[408]
critical vulnerabilities and ignore the
[410]
rest
[412]
this is not the most rational approach
[414]
in ot as you will be facing a lot of
[416]
older vulnerabilities that are specified
[418]
using cvss versions lower than
[421]
3 well the critical rating wasn't used
[424]
yet
[425]
in other words you can find some pretty
[427]
nasty stuff that is rated
[429]
high rather than critical
[433]
hence you may consider to focus on the
[435]
base score instead
[436]
on severity another parameter that could
[440]
be used for singling out the
[442]
vulnerabilities worth patching is
[444]
if there is already an active exploit
[446]
for the cve
[448]
for this information there is no
[450]
official government database
[452]
but there are several private brokers of
[454]
exploitability information
[456]
some even free of charge or you could go
[459]
all the way and throw in threat
[461]
intelligence for an informed decision
[463]
about
[464]
what active hacker groups are currently
[466]
exploiting
[467]
however i don't believe this is a
[469]
particularly promising strategy
[471]
as threat actor behavior can change much
[474]
quicker
[475]
than you will be able to respond hackers
[479]
can
[479]
employ new exploits overnight but you
[482]
may need
[482]
a year or more to fix a particular
[485]
vulnerability across your installed base
[492]
[Music]
[495]
a different strategy for filtering your
[497]
actionable cve result set
[500]
is to factor in asset context since not
[503]
every asset is equal
[505]
when it comes to cyber risk some assets
[508]
are more exposed than others and thus
[510]
more prone to compromise
[513]
network exposure can easily be
[515]
identified if you have a modern asset
[517]
management system installed
[519]
you can either identify an asset's
[521]
exposed position in the network topology
[524]
or you can simply check data flow
[528]
in brief assets that are hidden deeply
[530]
behind dmz's and firewalls
[532]
are less of a concern than those at the
[535]
front lines
[537]
as a caveat don't forget to consider
[539]
assets that are exposed to nomad laptops
[542]
such as portable engineering stations
[544]
brought in by contractors
[545]
and attached to assumedly isolated
[548]
process networks
[551]
another way to prioritize by context is
[553]
based on asset criticality
[556]
which implicates higher cost of
[557]
consequence in case of successful breach
[561]
unfortunately criticality cannot be
[563]
measured automatically
[564]
but has to be assigned by experts who
[566]
are familiar with an
[568]
asset specific process function
[571]
usually this is in the hands of control
[573]
engineers
[574]
a simple example is safety systems
[577]
a safety system has a higher criticality
[579]
than a basic production system
[581]
and should therefore be better protected
[584]
having that said in real life you would
[586]
not necessarily focus on a safety
[588]
controller
[589]
which is insecure by design anyway but
[592]
on the safety engineering station
[595]
[Music]
[602]
a question that we frequently hear from
[604]
people interested in our ot based asset
[607]
management system
[608]
is will i get alerts on new
[611]
vulnerabilities
[612]
in real time if anything this indicates
[616]
a substantially wrong
[618]
idea of how audio vulnerability
[620]
management actually works
[622]
yes you will see new cvs as they come in
[626]
but you won't be able to focus on those
[628]
because of your
[630]
huge backlog of vulnerabilities here is
[633]
a simple question
[634]
what's more important to fix the 12
[637]
new critical cves that just dropped in
[640]
or the 75 000 vulnerabilities that you
[644]
still
[644]
didn't manage to mitigate if you think
[647]
this is a trick question
[649]
you are mistaken it's ota vulnerability
[652]
management reality
[654]
the highest priority is not today's
[656]
critical vulnerability
[658]
but the hundreds or thousands that you
[660]
haven't been able to fix for years
[663]
you will find yourself in a tight spot
[665]
between a huge backlog of
[666]
vulnerabilities
[668]
plus a steady stream of new
[670]
vulnerabilities coming in
[671]
every week and you will soon realize
[673]
that patching today's critical
[675]
vulnerability
[676]
doesn't make a difference it doesn't
[679]
move the needle
[681]
[Music]
[687]
so what does move the needle then the
[691]
fundamental objective of ota
[693]
vulnerability management is to build up
[695]
a
[695]
cybersecurity capability that allows you
[699]
to reduce your backlog of
[700]
vulnerabilities
[702]
while mitigating new cves quicker than
[704]
they flow in
[706]
this requires a strategic approach and
[709]
you shouldn't expect
[710]
dramatic success within weeks or months
[713]
ota vulnerability management is a long
[716]
game
[716]
and the name of the game is incremental
[719]
improvement
[720]
on the tactical side consider that
[723]
patching is often
[724]
not the first choice for mitigating cves
[728]
consider network security
[730]
application-wide listing
[731]
and system hardening instead
[734]
standardizing configurations for typical
[737]
equipment such as hmi stations or
[739]
network switches
[741]
will go a long way toward that goal and
[743]
will also
[744]
make auditing so much easier
[748]
the biggest gains are to be made with a
[750]
proactive approach
[751]
if you can get your vendors contractors
[754]
and oems to deliver
[755]
hardened and well-protected machines
[758]
plant components
[759]
and software applications at the time of
[761]
commissioning
[763]
you are on a trajectory to success
[766]
even though that success is gradual and
[768]
slow it is
[770]
real unlike the anecdotal patching
[772]
activities that aren't just a waste of
[774]
time but also
[775]
create a false sense of security
[778]
so as i said in the beginning
[780]
understanding ot vulnerability
[782]
management isn't difficult
[784]
but practicing is practicing it requires
[786]
determination
[787]
and patience go for it
[801]
[Music]
[840]
so
[846]
[Music]
[868]
so
[873]
[Music]
[899]
you
Most Recent Videos:
You can go back to the homepage right here: Homepage