SecurityMatters is now part of Forescout
SecurityMatters is now part of 
Forescout
frost and sullivan

SecurityMatters Receives Frost & Sullivan’s Global Industrial Cybersecurity Solutions Customer Value Leadership Award

Frost & Sullivan recognizes SecurityMatters with the 2018 Global Customer Value Leadership Award for protecting industrial companies’ IT/OT networks.

Learn More

Asset Inventory and Security Monitoring (IEEE)

An in-depth analysis of how passive network security monitoring helps asset owners maintain an accurate, up-to-date asset inventory list, while also protecting the grid’s edge from cyber threats.

Streamline NERC CIP Compliance With Passive Network Monitoring

Passive monitoring can save North American utilities required to comply with NERC CIP significant effort and money.

Why Industrial Control System Vulnerability Management is not equal to IT Vulnerability Management

SecurityMatters' Brian Proctor joins Scott King of Rapid7 for their Whiteboard Wednesday series. In this episode they explore why vulnerability management inside an industrial control system (ICS) differs from that of an IT environment.

There are four different approaches to vulnerability management practices for an ICS network. Brian and Scott discuss the pros and cons of:

  • Active monitoring
  • Completely passive monitoring
  • Configuration file parsing
  • Selective probing

 
Efficient Asset Inventory Solution for ICS

Video Transcript

Scott King: Hello my name is Scott King and I work for Rapid7.

Brian Proctor: Hi I’m Brian Proctor with SecurityMatters.

SK: Today we’re both here to talk to you about how vulnerability management inside an industrial control system networks is not the same as vulnerability management inside of an IT network.

To me one of the main things that I think about is your ability to patch. Inside an IT environment you’re able to take routine downtime, you’re able to bring systems offline and you’re able to patch them when you find vulnerabilities.

Inside of an ICS environment you’re just not. And often time patches aren’t even available. A lot of the times the vulnerabilities that are present in an ICS environment are by design; that’s how the system works, there is no patch for it.

So, what you’re left with is dealing with things like commutated controls, air-gapping networks, and putting in place detective mechanisms that allow you to monitor those environments for the types of intrusions and the type of system behavior that would indicate there’s a problem.

Now when you talk about vulnerability management in ICS networks there are some major differences, and there’s also differences in approach. Brian?

BP: When we talk to folks about conducting vulnerability management practices in their control systems we’re really talking about four different approaches. Over here on the right is our active approach. That approach in ICS causes a lot of concern. I know that Scott and I have some personal experience where we’ve seen the effects of an active approach in a control system and it’s had some negative effects on the operational process.

So, most security activists will tell you that’s not the approach you want to take in a control system. Especially at the lower levels of the control system where you have controllers or other critical assets.

The other three approaches are more passive approaches. Starting from complete passive monitoring where you’re inspecting these protocols and you’re extracting inventory data from them and then you’re matching the inventory data to known vulnerabilities. So, a lot of ICS asset owners are really pushing forward with that because there’s literally no impact to the control system, it’s completely passive.

The second approach it’s more from a configuration file so a lot of these control system vendors have configuration files maybe on an engineering workstation or some type of server somewhere. What you can do is look at those files, parse those files, once again get the inventory data and match those to known vulnerabilities.

The third kind of approach is kind of a mix between passive and active. It’s an approach called selective probing. It’s all about using protocols that these devices are built to function with and asking for that data and asking for that asset inventory data, and once again you can match those with known vulnerabilities.

So completely passive, configuration file parsing, and probing, those are the three approaches that we talk to folks about.

SK: And not only that, the passive monitoring approach in addition to all the benefits we’ve talked about here, from an operations perspective it actually allows you to identify and spot operational problems that are not security related within your control network as well.

And that goes well beyond just understanding the vulnerabilities, that gets into control system operations, how devices are behaving, how they’re communicating with each other, and the real benefit of that type of passive monitoring is that you’re able to look for deviations from norm in the communication behavior of the devices, and spot when things are out of alignment with what they should be, or when they’re going beyond the types of expectations you have of how those systems communicate with each other.

So when you think about vulnerability management inside of an ICS environment, one of the main things you want to think about is it’s very helpful to understand what those vulnerabilities are and how they can manifest themselves, but the number one thing you should be paying attention to is how the systems inside the control system network work, operate, communicate with each other, and how those vulnerabilities can be mitigated through compensating controls.

Additionally, doing on-going, routine assessments for vulnerabilities is not going to be a good use of your time. Understanding the type of assets you have in your environment and how they talk to each other again is a much more effective approach to control system monitoring.

BP: So, don’t apply those IT vulnerability management practices to your control system. Take what Scott and I have from personal experience and apply those. Thank you for tuning in, and we’ll see you next time.

Case Study: Electric Power and Gas

Electric-power and Gas Company Deploys the Largest Network Anomaly Detection Project Worldwide.

Solution Brief: Ship Automation and Control Systems

Read about the benefits of our network monitoring and intelligence platform, SilentDefense, for ship automation and control systems. 

 

 

Case Study: SilentDefense Secures TEPCO Power Grid

Read how Japan's largest utility company successfully deployed SilentDefense for detecting anomalies in its..

How to Effectively Implement ISA 99/IEC 62443

Learn how SilentDefense will assist you in effectively implementing the ISA 99/IEC 62443 standard within your ICS network.

How to Align with the NIST Cybersecurity Framework

Learn how SilentDefense facilitates the adoption of the NIST Cybersecurity Framework by simplifying compliance with all five Functions.

The Benefits of Network Monitoring for Industrial Automation

The drive to increase productivity and reduce costs in manufacturing environments has led to an exponential increase in the adoption of automation on plant floors, also known as Industry 4.0. If your organization has integrated its computation, networking and physical processes, this whitepaper will explain how deploying network monitoring technology will bring tremendous value to both your IT and OT teams.