What Lies Beneath – Avoiding the Unseen Dangers of OT Vulnerabilities

  • December 11, 2017
  • PAS Inc.
  • Feature
What Lies Beneath – Avoiding the Unseen Dangers of OT Vulnerabilities
What Lies Beneath – Avoiding the Unseen Dangers of OT Vulnerabilities

By Scott Hollis, Director of Product Management, PAS Global

A recent Accenture survey found that 76 percent of utility executives in North America believe the country faces a moderate risk of interruption to electricity due to a cyberattack. The full truth is that much more infrastructure than power generation is at risk. Process control networks (PCNs) in critical infrastructure sites − refineries, chemical plants, and manufacturing facilities − all have potential danger swimming just below the surface in the form of undiscovered vulnerabilities. Unless and until security in a PCN has been implemented in a way that systematically protects all endpoints at risk in industrial environments, successful attacks will likely happen. 

Given the sophistication and effectiveness of recent industrial cyber attacks, such as the Ukrainian power grid attack in December 2015, the Industroyer/CrashOverride malware attack in December 2016, and a new campaign of attacks targeting energy companies in the spring and summer of 2017 by a group called Dragonfly 2.0, it is more important than ever to identify and remediate operational technology (OT) vulnerabilities. However, industrial process and power companies still struggle to manage OT cybersecurity vulnerabilities and risks effectively.


The Situation Today

Attacks on OT systems are rapidly escalating in terms of both frequency and sophistication, yet far too many industrial organizations continue to focus cybersecurity efforts on IT-centric, rather than production-centric, endpoints. They also continue to rely on manual, error-prone email- and spreadsheet-based vulnerability management processes, leaving their industrial facilities exposed to unacceptable production safety and reliability risks.


Surface View of OT Vulnerabilities

Most approaches in use are focused on securing Level 2 (Purdue model) endpoints, such as operator workstations, as these are the better understood IT endpoints. Discovering vulnerabilities at Level 2 is also typically more straightforward because assessing workstations, servers, routers, and switches is much easier than assessing controllers and smart field instruments. However, focusing solely on Level 2 endpoints gives only a surface view, as they make up only 20% of industrial endpoints.

Systems at Level 1 and 0 are often left unchecked. These production-centric endpoints comprise 80 percent of all the cyber assets in an industrial facility. They include Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Safety Instrumented Systems (SIS), turbine controls, and smart field instrumentation.

From a business standpoint, endpoints at Level 1 and 0 matter the most in industrial facilities, as these are the endpoints responsible for delivering safe and profitable production. Vulnerabilities at this level are opaque to most security personnel. Proprietary architectures and lack of standard protocols in multi-vendor process control environments makes asset discovery, vulnerability assessment, and risk mitigation difficult. This means that far too often vulnerabilities lurking on these underlying systems are minimized or ignored, leaving OT systems vulnerable and exposed.


Rising Vulnerability Counts

Vulnerabilities are prevalent in OT systems, and the number of known vulnerabilities continues to rise. The number of vulnerability advisories issued by ICS-CERT has increased sevenfold since 2010 with 2017 setting record levels.

Many of these vulnerabilities have likely been present for years, only coming to light now due to an increased awareness of industrial control systems (ICS) cybersecurity risk.


Manual, Point-in-Time Assessments

Current vulnerability assessment processes in OT environments are extremely manual, point-in-time activities often performed by outside contractors. Since these assessments are labor intensive, many facilities only complete vulnerability assessments once every 12 to 18 months, if not less frequently. These point-in-time vulnerability assessments quickly become outdated as OT systems change, existing vulnerabilities are remediated, and new vulnerabilities emerge.

To maintain currency, OT cybersecurity professionals monitor industry and vendor websites. When a new ICS-CERT advisory or automation vendor bulletin is published, enterprise-wide email missives are sent to asset owners at multiple sites throughout the enterprise asking them to investigate and determine if plant systems are vulnerable, and if so, to email back their remediation plans. However, timely, accurate responses from busy asset owners in plants are not common, and most organizations are left in the dark when it comes to understanding their current vulnerability risk.


Inefficient Prioritization and Remediation

Vulnerability prioritization and remediation is performed utilizing emails and spreadsheets. This results in error-prone and out-of-date vulnerability remediation and mitigation data.

Automated vulnerability remediation or mitigation workflows cannot be triggered from data stored in emails and spreadsheets. Critical vendor patches and updates are often not applied for months or years, increasing cybersecurity risk. No centralized view exists that can provide insight into which assets have been secured and which still have lurking vulnerabilities. OT cybersecurity personnel and asset owners are left with an incomplete view into their OT security posture.


What’s Required: Better OT Vulnerability Visibility and Management

Given the variety of different automation system brands and models running in industrial facilities, a more efficient, standardized approach to OT vulnerability identification and remediation tracking is needed. And a more modern, continuous vulnerability management approach to surfacing hidden OT vulnerabilities and better protecting OT environments from cybersecurity threats is required.  Doing so will better protect industrial facilities from unseen dangers.


Know What You Have

A prerequisite for effective vulnerability management is a comprehensive, evergreen inventory of all Level 2, 1, and 0 systems that reside within the PCN. This includes detailed information about current system configurations, identifying installed versions of firmware, operating systems, and applications. Without this information, you cannot know which systems may present risk.


Manage Change Effectively

Asset security profiles change when process control engineers install new components or perform upgrades. Cybersecurity personnel must have an automated way to identify these changes so they can quickly evaluate if vulnerabilities that present risk to production reliability and safety have been introduced.


Assess Vulnerabilities Continuously

The OT threat landscape is evolving rapidly. Manual approaches to OT vulnerability assessment can’t keep up. A move to automated, continuous OT vulnerability assessment is required. Assessment of Level 2, 1, and 0 systems should occur when new vulnerabilities are published, when new systems come onto the PCN, or when existing systems are updated so risks to production safety and reliability can be quickly identified and so that risk posture can be reduced over time.


Prioritize Remediation or Mitigation

Cybersecurity personnel must understand the potential impact identified vulnerabilities may present to process safety and reliability. This knowledge is needed for effective prioritization of vulnerability remediation or mitigation activities.

Many organizations use the National Vulnerability Database (NVD) Common Vulnerability Score System (CVSS) to understand the potential impact a vulnerability may have in their environment. CVSS scores provide information about vulnerability exploit ease, potential exploit impact, and if there is known malware that targets the vulnerability. 

CVSS scores range between 0 and 10, broken into severity rankings of low (0.1-3.9), medium (4.0-6.9), high (7.0-8.9), and critical (9.0-10.0). For example, vulnerabilities that result in a denial of service event but are difficult to exploit have a lower CVSS score. Vulnerabilities that enable full administrative access to a system and are easy to exploit have a higher CVSS score. Most organizations focus primarily on vulnerabilities with CVSS scores with a severity ranking of critical or high.

CVSS scores provide important information about the potential impact of a vulnerability.  However, cybersecurity personnel must also understand the vulnerability within the specific context of their environment. For example, based on asset location and criticality to process safety and reliability, there may be times when cybersecurity personnel recommend remediation of a vulnerability with a CVSS score of seven before remediation of a vulnerability with a CVSS score of nine.


Track Vulnerability Remediation Continuously

Defined vulnerability remediation and mitigation workflows ensure consistent remediation activity tracking and reporting. Displaying the latest vulnerability remediation data in dashboards and trend views gives asset owners as well as OT and IT cybersecurity personnel visibility into the data they need to make informed vulnerability remediation and cyber risk management decisions. For example, if one facility requires four months to address a critical vulnerability, while another requires 18 months, OT cybersecurity leaders need this information so they can identify where to increase focus, or where additional staff or expertise may be required.



Industrial facilities must recognize that vulnerability management is an ongoing, never-ending process focused on risk reduction, not a point-in-time assessment. Continuously reducing cybersecurity risk across the entire OT environment is what an OT vulnerability management program is all about.

As new vulnerabilities are disclosed and system configurations change, OT systems that were previously secure become insecure. Organizations that implement continuous OT vulnerability assessment and management practices across all of their Level 2, 1, and 0 endpoints are best positioned to avoid the danger unseen OT vulnerabilities present to production safety and reliability.


About the Author

As Director of Product Management at PAS Global, Scott has more than 20 years of experience in security and performance management. Under his leadership NetIQ entered the SIEM market culminating in Gartner leadership designation. He subsequently led the creation of the industry’s first true multi-tenant, single instance log management SaaS platform at Alert Logic. He has held senior positions at various sized organizations ranging from privately held venture-backed technology start-ups to publicly traded Fortune 100 companies including BMC Software, NetIQ, Alert Logic, Quest Software (now a Dell company), Zenoss, and Tenable Network Security. He has a B.S. (cum laude) in Computer Science from Virginia Tech, and an M.B.A. from the University of Houston.


Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..