An OT vulnerability assessment identifies and evaluates potential vulnerabilities and attack paths in an industrial environment, including its network and systems. It most often involves using tools that probe for known vulnerabilities, misconfigurations, architectural weaknesses, and static analysis of the environment. The scope of an assessment ranges from a subset of systems to an entire environment. Vulnerabilities are not exploited in this type of engagement but instead validated with a focus on finding as many attack paths as possible.  

Vulnerability assessments are considered active assessments because they interact with systems and devices, but they have a lower impact as exploits are not executed. The rules of engagement dictate the scope and level of interaction. As with all engagements, safety and reliability take priority. The Insane Cyber team operates best when working closely with the operations and engineering team during these engagements to capture the needed information for industrial systems and devices without impacting operations.  

Vulnerability assessments are considered white-box engagements, as the team has access to internal information and personnel and is provided with access to the systems to execute collection tools. To support this engagement type, an organization should have a base-level understanding of the environment and assets.  

Components  

A vulnerability assessment traditionally consists of the following parts but can be customized based on the customer's needs and scope.  

• Control System Topology Review: A detailed topology review of the control system architecture, including the devices that control the physical process, the supervisory control systems, the supporting systems such as engineering servers, the business interfacing systems, as well as the underlying compute and storage infrastructure. 

• Network Topology Review: A detailed topology review of the networks that support the control systems. This includes reviewing the network structure, configurations, traffic flows, and traffic control (firewall rules and access control lists). 

• Network Enumeration: Targeted enumeration of in-scope subnets and assets using passive and active network tools. Tool outputs and configurations are analyzed to gain a view of network-accessible vulnerabilities.  

• Host Enumeration: Scanning and configuration inspection using native and introduced tools to identify vulnerabilities on each in-scope host. Host inspection is tailored to the type of host, the operating system, and the software. Manual analysis may be used for critical systems where new processes cannot be executed.  

• Industrial Device Enumeration: Analysis of the control device and configuration to identify vulnerabilities and exploitable functionality. If a nonproduction test device is available, tools may be used to aid in the analysis. 

• Active Directory (AD) Enumeration: Enumerating AD is a systematic process of gathering information about an AD infrastructure, including authentications, Domain Naming Services (DNS), Group Policy, and Certificate Authority (CA) services. The goal is to extract valuable data, such as user accounts, group memberships, system configurations, and other information, to identify vulnerabilities and attack paths.  

Deliverables  

The main deliverable of an OT vulnerability assessment is a detailed report that provides information on each identified vulnerability and attack path. The report includes finding prioritization, impact, and supporting material for each item so that technical teams, operations, and leadership can prioritize remediation. For each identified item, Insane Cyber also provides customized recommendations that fit the customer's environment and program.  

We understand that changes in industrial environments are difficult because we have been there. As such, we often provide short-term and long-term recommendations. We focus on how people, processes, and technology can remediate the vulnerability or stop the attack path.  

The other major deliverable of a Vulnerability Assessment is the interactive sessions with the project team. These engagements are a cooperative effort in which the Insane Cyber team works with the engineering, operations, and technical teams. As items are identified, the team discusses their impact and possible solutions. The engagement team focuses on sharing their technical knowledge and past industry experiences to help the customer improve their security posture. 

Tips for Getting the Most out of an OT Vulnerability Assessment 

• Involve operations and engineering early to gain buy-in and cooperation.  

• Clearly define goals, outcomes, and scope. 

• Define rules of engagement and safe work practices.  

• Define clear communication channels where all activities can be quickly approved before actions are undertaken.  

• Ensure that supporting teams, including operations, engineering, OT, IT, security, and leadership, are available during the engagement for information sharing.