Video: Scanless Vulnerability Monitoring for ICS Environments

Video: Scanless Vulnerability Monitoring for ICS Environments

Learn how Industrial Defender ASM® protects against ICS vulnerabilities in a new way in this 5-minute demonstration by Peter Lund, Director of Product Management at Industrial Defender.

Questions Answered in this Video

Why Scanless Vulnerability Monitoring?

Existing ICS monitoring solutions aren’t always a good fit for finding and monitoring known vulnerabilities. Much of the industrial control hardware deployed today wasn’t meant to be scanned on a network or host level. It can be difficult to install agents on devices with non-existing or closed-off operating systems, and by opening the device up to a remote scan, you offer a new way for attackers to get in.

How does scanless vulnerability monitoring work?

Industrial Defender ASM® takes information from the asset inventory standpoint, compiling a list of all of the devices in your environment and then running the software inventory, patches, ports and service information through a customized vulnerability monitoring service hosted right here in Foxboro, MA. We run this information through databases like the National Vulnerability Database, ICS-CERT feed, Microsoft patch feed and Red Hat patch feed. All of the data is then available in an easy to manage module within ASM.

What are the different ways to see my vulnerabilities within ASM?

ASM provides 4 different ways to filter your vulnerabilities:

  1. Assets
  2. Applications
  3. Vulnerability Name and Score
  4. ICS-CERT Bulletin Name

By giving the user an option to filter vulnerabilities a few different ways, and providing augmented information about each vulnerability within the application, we make it easy to stay on top of the weak spots in your ICS environment.

Video Transcript & Slides

Hi, this is Peter Lund – Director of Product Management at Industrial Defender. I’m going to spend a few minutes talking about a new and better way to detect and monitor vulnerabilities in an ICS environment, specifically a way that’s done in a scanless methodology. So first a bit about vulnerabilities and why they matter. Over the last decade we’ve seen a number of attacks on the nation’s critical infrastructure. Whether it was the CERT alert that we have here on the screen, or something like NotPetya, Shamoon, WannaCry, STUXNET, Black Energy – the list goes on and on. It’s clear that we’re under attack and we need to pay attention to the ICS environment.

If you look at any of the cybersecurity standards that are out there, whether it be NERC Compliance for reliability of the electrical grid, whether it be the NIST cybersecurity framework, the ISA or IEC 62443, the NIST directive, overseas, all of these standards say “you need to care about your vulnerabilities”. That’s really where your exposure is.

Existing solutions out there aren’t always a good fit for ICS. They may be network scan-based. A lot of the ICS gear out there wasn’t necessarily designed to be scanned. Sometimes bad things can happen when you scan them. You might have a host-based scanner which would require an operating system to be in place and an agent be placed on that as well. Often times these ICS environment endpoints don’t have operating systems or the operating system might be closed off and not available. Or you might be interested in doing a remote credentialed scan, as an example. To do these remote scans, you now need to open up remote access, administrative privileges, and this just might be exactly what your attackers are waiting for you to do — all for the purpose of doing a vulnerability scan.

Here at Industrial Defender, we do vulnerability monitoring a bit differently. We take it from the asset inventory standpoint first. Understanding that asset inventory is of utmost importance before you do your vulnerability scan, the ASM is collecting software inventory, patches, ports and services about the environment. We take that data and we anonymize it, share it with the vulnerability monitoring service hosted here in Foxboro, and we basically bounce that software inventory off all of the public feeds that are out there and we’re actually looking at some of the private feeds as well. We are determining if a software title has a vulnerability, and if it has any patches by looking at things like the National Vulnerability Database, the ICS-CERT feed, the Microsoft patch feed, the Red Hat patch feed. All of that data is available and we check that against the inventory, and when we find a match, we essentially provide that back to a customer for upload into the ASM where we can actually show the vulnerabilities in a real-time way.

We’re going to actually show a demo of that here in a second. So we switched over to the ASM now where we’re doing a lot of great data collection for security & compliance. You can see quickly that the vulnerability monitoring view has given us quite a bit of information about this environment that we’re monitoring.

I can quickly see the number of outstanding vulnerabilities on a per-asset basis. I can see that there are ICS-CERT bulletins available for specific vulnerabilities. We can see that there’s patches available, and we can quickly take action on these items.

So let’s say I wanted to view the biggest offending application in my environment,

or I wanted to view the vulnerabilities and their highest scores.

Or let’s say I wanted to view specific ICS-CERT bulletins. This is kind of my favorite part of the tool, where I can see that I’ve got assets in my environment that currently have ICS-CERT bulletins available for them. You can click through and see actually what that bulletin is. You can find the related vulnerabilities to it, and you can quickly see that it impacts two assets and with our administrative properties, we can see where they’re physically located so we can get in touch with those asset owners and fix it. If you’re looking for more info, you can quickly hyperlink out to the actual bulletin itself, or the vulnerability itself.

So that was a quick overview of ASM Vulnerability Monitoring service. For more information, feel free to check us out at our website or email us at info@industrialdefender.com. Thanks.