Whiteboard Wednesday:

How Vuln Management in Industrial Control Systems is Different Than That in Corporate IT

August 29, 2018

In this week’s Whiteboard Wednesday, Scott King, Senior Director of Security Advisory Services at Rapid7 and Brian Proctor, Director of Strategic Accounts at SecurityMatters, team up to discuss how vulnerability management in ICS is different from that in corporate IT environments. Learn what four approaches you can take to monitor the vulnerabilities in your industrial control systems and discover how your systems work, operate, and communicate with each other for a more effective approach to control system monitoring.

Video Transcript

Hello, everybody, my name is Scott King, and I work for Rapid7.

Show more Show less

Hi, I'm Brian Proctor with SecurityMatters.

Today we're both here to talk to you about how vulnerability management inside industrial control system networks is not the same as vulnerability management inside of an IT network. To me, one of the main things that I think about is your ability to patch.

Inside of an IT environment, you're able to take routine downtime, you're able to bring systems offline, and you're able to patch them when you find vulnerabilities. Inside of an ICS environment, you're just not. And often times patches aren't even available.

A lot of the times the vulnerabilities that are present in ICS environments are by design. That's how the system works. There is no patch for it. So what you're left with is dealing with things like compensating controls, air gapping networks and putting in place defense mechanisms that allow you to monitor those environments for the types of intrusions, and the type of system behavior that would indicate there's a problem.

Now, when you talk about vulnerability management in ICS networks there are some major differences. And there are also differences in approach. Brian?

When we talk to folks about conducting vulnerability management practices in their control systems we're really talking about four different approaches. And over here on the far right that's the active approach, as Scott said earlier, that approach in ICS causes a lot of concern. I know that Scott and I have some personal experience where we've seen the effects of an active approach in a control system that had some negative effects on the operational process.

So most security experts will tell you that's not the approach that you want to take in a control system, especially at the lower levels of the control system where you have controllers or other critical assets. But the other three approaches are more passive approaches. Starting from complete passive monitoring, where you're inspecting these protocols, and you're extracting inventory data from them and then you're matching the inventory data to known vulnerabilities. So a lot of ICS asset owners are really pushing forward with that, because there's literally no impact to the control system. It's completely passive.

The second approach is more from a configuration file. So a lot of these control system vendors have configuration files may be on engineering workstations or some type of server somewhere. And what you can do is look at those files, parse those files, once again get the inventory data and match those to known vulnerabilities.

And then the third kind of approach is kind of a mix between passive and active. It's an approach called selective probing. And what this is, is it's all about using protocols that these devices are built to function with. And asking for that data and asking for that asset inventory data so then once again you can match those with known vulnerabilities. So complete passive, configuration file, parsing or probing. Those are really the three approaches that we talk to folks about.

And not only that, the passive monitoring approach, in addition to all the benefits that we've talked about here, from an operations perspective, it actually allows you to identify and spot operational problems that are not security related within your control network as well. And that goes well beyond just understanding the vulnerabilities. That gets into control system operations, how devices are behaving, how they're communicating with each other. And the real benefit of that type of passive monitoring is that you're able to look for deviations from norm in the communication behavior of the devices and spot when things are out of alignment with what they should be, or when they're going beyond the types of expectations you have of how those systems communicate with each other.

So when you think about vulnerability management inside of an ICS environment one of the main things you want to think about is it's very helpful to understand what those vulnerabilities are and how they can manifest themselves, but the number one thing that you should be paying attention to is how the system inside the control system network work, operate, communicate with each other and how those vulnerabilities can be mitigated through compensating controls.

Additionally, doing ongoing routine assessments for vulnerabilities is not going to be a good use of your time. Understanding the type of assets you have in your environment and how they talk to each other again is a much more effective approach for control system motioning.

So don't apply those IT vulnerability management practices to your control system. Take what Scott and I have from personal experience and apply those. Thank you for tuning in. We'll talk to you next time.

Rapid7 Advisory Services

Learn more about engaging our resident experts for your security program.

View Services


Security matters. Learn more about the innovative initiatives this company is taking to strengthen cyber resiliency.

Learn More