In this ongoing series, I take a deeper look at individual components of the Claroty Platform. This week, I'll look at our OT Threat Vector Analysis, a powerful tool to help discover hidden vulnerabilities in your ICS network.
Penetrate, Patch... and Pray
In my previous blog, I referenced George Santayana's warning "those who cannot remember the past are condemned to repeat it.” This past week, we saw incidents involving increased probing of critical infrastructure leveraging a vulnerability in certain Cisco switches, and an attack on an EDI service provider that disrupted data communication services at four major US interstate gas pipeline . These kinds of attacks are a result of an increase in the number of known vulnerabilities and Internet-accessible ICS components – which increases the available attack surface and makes Santayana’s words more true this week than even last week.
In a typical IT-oriented world, organizations perform annual penetration tests as a means of identifying vulnerabilities within their organization’s IT infrastructure and prioritizing patching, but far fewer extend this practice to their ICS networks. For those who do, “pen testing” and “red team” exercises, these may provide some value in risk assessment, but there are several unique challenges within the OT environment.
Traditionally, ICS networks were separated from internet-facing devices. In some cases, this took the form of logical separation whereas, in critical industries, such as power generation and infrastructure control, air-gapping was the chosen approach. The rise of always-connected devices has shifted the ICS foundation. Nowadays, organizations need a way to remotely monitor SCADA and ICS networks all the while responding to the changing threat landscape.
In a recent Positive Technologies report , a sharp increase of disclosed weaknesses has been seen – with 197 in 2017, compared to just 115 in 2016 — a dramatic increase of over 70%. The information also shows that based on the Common Vulnerability Scoring System (CVSS) v3, 41% of those disclosed weaknesses were classified as “high vulnerabilities” and 20% as “critical” – showing a concerning trend.
Historically, relying on a “penetrate-and-patch” strategy has failed to significantly reduce or mitigate risk over the long haul as the tests do not look deep enough into network components and the results are therefore incomplete. As we like to say about vulnerabilities, “absence of evidence is not evidence of absence”.
Digging Deep to Uncover Hidden Vulnerabilities
The useful life of many of the assets in OT plants is 35 years, so much of what needs to be protected was commissioned years ago and is inherently insecure. In the real-world, being able to simulate and measure risk and generate security best practices of these mature environments starts with applying a deep understanding of the network, its underlying assets, and the overall importance of each element. Once applied, this approach can provide a better understanding of the potential risks, categorize them, and prioritize activities along the paths of greatest potential impact. This modern methodology helps empower your SOC and security teams, providing them with the needed visibility to proactively mitigate risk.
Watch the video to see how Claroty’s OT Attack Vector Analysis generates specific scenarios simulating possible attack vectors that have the potential of compromising operational assets.
Applying a Practical Approach
By automatically identifying assets across the entire ICS network including assigned IP, nested assets, and assets that communicate over serial connections, Security teams are provided with a needed know-how on how to mitigate risks across the ICS network. Claroty’s visual representation of potential risks along the attack chain sheds immediate light on the most critical security gaps, allowing more effective use of limited skilled resources and minimizing the overall attack surface.
- Consolidated View of Security Risk – easily visualize the impact of potential risks and other security gaps to your “crown jewels”
- Simplified Visualization – continuous comprehensive attack analysis simulation – all without impacting critical OT Infrastructure
- Actionable mitigation and remediation – provide security teams with contextual mitigation recommendations based on most likely attack scenarios