The vulnerability life cycle in an industrial environment
Telecommunications technology has experienced a great improvement in the last decade, with the addition of new functionalities, such as the Internet of Things (IoT) and cloud computing (Cloud Systems) in automation and control systems. However, current implementation practices in industrial systems are still generating a wide variety of security vulnerabilities.
Cybercriminals exploit global security vulnerabilities in Industrial Control Systems (ICS) to take control or disrupt normal system operation functions. Therefore, it is essential to identify and analyze security vulnerabilities and weaknesses in these systems to develop security solutions and protection mechanisms.
In this context, it is important to highlight the importance of constantly monitoring all assets and knowing their status, updating systems with security patches for known vulnerabilities. This significantly reduces the risk of a successful cyber-attack.
Vulnerabilities life cycle
The vulnerability lifecycle is a process used to identify, assess and mitigate vulnerabilities in systems or their networks. It consists of several phases, each of them being carried out in a sequential and cyclical manner to ensure adequate protection against vulnerabilities.
- Detection and validation: the first phase consists of detecting and validating vulnerabilities in systems and networks. This is achieved through automated and manual scanning tools, Red Team activities, or by consulting alert reports or security advisories.
- Analysis: once the vulnerabilities have been detected and validated, a detailed analysis is carried out to assess their severity and the impact they may have on the system and industrial processes.
- Reporting: Those responsible for security in operational environments and system administrators are notified of the existence of the vulnerabilities detected.
- Resolution: The resolution phase involves taking measures to mitigate or resolve the vulnerabilities detected. This may include installing patches, configuring security rules, implementing access controls, among other measures.
Validation and closure: once the mitigation measures have been implemented, a validation is carried out to ensure that the vulnerabilities have been correctly corrected. Finally, the vulnerability is closed and the tracking log is updated.
Vulnerabilities life cycle
A crucial factor in vulnerability lifecycle management is the proper distribution and coordination of the roles in charge of vulnerability management:
- ICS Auditor: responsible for conducting periodic audits to identify vulnerabilities in the automation and process control systems (ICS).
- Vulnerability Manager: responsible for monitoring the vulnerability lifecycle, from detection to mitigation.
- Vulnerability Resolver: in charge of implementing mitigation measures to correct detected vulnerabilities.
- Vulnerability validator: in charge of performing validation to ensure that vulnerabilities have been correctly corrected.
It is important to keep in mind that the assignment of roles and responsibilities in the vulnerability lifecycle may vary according to the specific characteristics and needs of each company or organization.
The key points of the vulnerability lifecycle are shown in more detail below:
Detection and validation
Security assessment is a fundamental process in any organization, its objective is to detect or identify security weaknesses that a potential attacker can exploit to execute cyber-attacks against our systems or networks.
It is important not to limit vulnerabilities to software code errors (bugs), but also to consider weak configurations, insecure application and communication designs, etc.
The challenges facing security assessment in ICS environments are their complexity and heterogeneity, the lifespan of industrial devices and the large volume of known vulnerabilities. This leads organizations to focus only on the most critical vulnerabilities.
Both passive and active techniques can be used when detecting or identifying vulnerabilities:
- Passive techniques:
- They are used only to monitor and collect data and behavior of assets without interacting with them. By capturing traffic and analyzing it, it would be possible to identify the following problems:
- Unknown or non-inventoried assets,
- Unknown communications between assets,
- Use of insecure protocols,
- Devices vulnerabilities associated with the software or operating system.
- The main advantage of this technique is that since it does not interact with the assets, there is a minimal risk of affecting the systems, but, on the other hand, less information is obtained than when using active techniques.
- They are used only to monitor and collect data and behavior of assets without interacting with them. By capturing traffic and analyzing it, it would be possible to identify the following problems:
- Active techniques
- They interact directly with the assets to be analyzed, through the use of scripts or automated tools for the detection of failures in the configuration or known vulnerabilities in the assets.
- Some examples of tools used could be the following:
- Nmap: used for network and port scanning;
- Nessus/OpenVAS: used for vulnerability scanning.
- The main advantage of this technique is that it provides more information about the assets being scanned, but on the other hand, there is a higher risk of affecting the systems and altering their correct functioning.
- Open sources:
- Another way of detecting vulnerabilities would be through the review, either manually or automated, of vulnerabilities that are published in public repositories, which can be used to patch correctly the identified vulnerabilities. Below are some examples of sources where such reports can be consulted:
- Websites and manufacturer's forums
- Security advisories from INCIBE-CERT or other reference CERTs;
- Security newsletters, such as those from INCIBE-CERT
- Social networks.
- Another way of detecting vulnerabilities would be through the review, either manually or automated, of vulnerabilities that are published in public repositories, which can be used to patch correctly the identified vulnerabilities. Below are some examples of sources where such reports can be consulted:
Analysis
Once the vulnerabilities of the assets and systems have been identified, an individual analysis of each one of them must be carried out, in order to prioritize certain vulnerabilities based on the risks that the organization must define for the different assets.
The probability of a specific impact on the organization is known as risk:
R = P (Probability) x I (Impact)
Based on this formula, it is possible to create probability-impact matrices, which will be used as a method to estimate the risk of vulnerabilities against a particular asset.
- Table defining the probability of the impact of a detected vulnerability -
Once the above risk has been defined, it is possible to combine it with the risk assessment obtained through the CVSS value of the vulnerability. This CVSS value can be obtained from published vulnerabilities, or if it is not yet available, it is possible to perform the manual calculation through CVSS calculators, whose values are between 1 and 10.
Below is an example of a matrix where the values obtained from the criticality of the asset and the CVSS are crossed
- Asset severity in relation to its CVSS -
The priority for resolving the vulnerabilities identified per asset should be based on the final risk value obtained from the above matrix.
Reporting
The security managers in operational environments and system administrators are notified of the existence of the detected vulnerabilities.
This phase depends entirely on the organizational chart or structure of the company or organization that has detected a vulnerability in one of its assets.
Once the vulnerability analysis process has been carried out and its magnitude and criticality are known, the following generic steps should be followed:
- List of third parties affected by the vulnerability, including manufacturers and employees of the company that are affected.
- Preliminary analysis of the information to be published, possible consequences or any information considered of vital importance for the treatment of the vulnerability.
- Determine the vulnerability communication channel according to the magnitude of the vulnerability, based on its severity, the effort to correct or mitigate it, the resources needed, the time required and the improvement obtained after the vulnerability has been corrected or mitigated.
Validation and clausure
Once the vulnerabilities have been analyzed and reported, they must be resolved and closed, if possible. The following are some of the methods to be carried out for the resolution of vulnerabilities. These methods must be selected by the vulnerability manager responsible for vulnerability mitigation, i.e. the vulnerability resolver, and once resolved, they must be validated by the vulnerability verifier:
- Mitigate the risk:
- This option involves taking measures to reduce the likelihood or impact of the risk.
- For example, security measures, such as implementing security software or training personnel, can be implemented to reduce the likelihood of an attack.
- Another option would be to eliminate the risk by patching the vulnerability.
- Accept the risk:
- This option involves becoming aware of the risk and deciding not to take additional measures to address it.
- This may be acceptable if the risk is considered acceptable compared to the cost and difficulty of mitigating it.
- Avoid the risk:
- This option involves avoiding risk completely, for example, by eliminating an asset or changing a process to avoid a specific risk.
- Transfer the risk:
- This option involves transferring the risk to another parties, through means such as insurance or contracts.
Once measures have been selected to address the vulnerability risk, it is necessary to establish a timeframe for its resolution. This timeframe will vary depending on the severity and priority assigned to the vulnerability. As in previous cases, a table or matrix could be used to define the timeframe for resolution, an example of which is shown below:
- Prioritization of vulnerability resolution by severity -
Finally, to manage and control vulnerabilities properly, it is important to keep a record of all vulnerabilities and the actions taken to deal with them. The status of each vulnerability should be updated regularly to ensure that they are adequately addressed.
Conclusions
The increasing connectivity between ICS networks and IT networks, together with the use of standard technologies, makes automation and control systems exposed to a wide variety of vulnerabilities and security threats. Therefore, ICS systems have become targets of cyber attacks and it is necessary to conduct security scans and plan countermeasures to avoid serious consequences.
The vulnerability management process should include all lifecycle phases, with special emphasis on detection, using appropriate techniques and tools. Effective ICS vulnerability management helps to identify and assess vulnerabilities and plan effective protection measures. However, due to the scale and complexity of ICS systems, these tasks are more difficult to perform in IT systems.