Last Updated on January 4, 2024
Active scanning technology common to many vulnerability management tools is notorious for causing device crashes and other disruptions in operational (OT) environments—often the worst place for an outage due to high downtime costs and potential threats to health, safety, and the environment. As a result, OT asset discovery and vulnerability management has historically been extremely difficult and often not even attempted.
But with OT networks increasingly overlaid on top of IT networks, many “unmanaged” and potentially vulnerable OT devices are now remotely accessible via the internet. As threat actors relentlessly probe industrial OT environments to gain a foothold for their attacks, orgs are compelled to improve OT vulnerability management processes.
Unfortunately, the security control innovation that has taken place on the IT side over the past 20-30 years has been minimal for OT, with “insecure by design” networks and devices lacking niceties like authentication or encryption still commonplace.
A new technological approach
What’s the solution? Huxley Barbee, Security Evangelist at runZero, explains: “We’re not doing any sort of passive capability at this time. We are one of the few vendors out there who even attempts active scanning in OT networks. What we found is by using a security research based approach that leverages incremental fingerprinting, and avoids the use of security probes, we are actually able to be safe for OT environments.”
According to Huxley, the bad reputation that active scanning has gotten in OT environments has been due in part to a lack of attention and innovation in that area—not because it can’t be done technologically. Traditional vulnerability management tools are built to scan IP networks and to work fast, like the proverbial bull in a china shop. Huxley relates that a major power outage in the US northeast in the early 2000s was caused by an active device scan.
runZero’s incremental fingerprinting takes a more measured approach. First it gathers available information (e.g., leaked data) from an OT device. Then, as more is learned from succeeding packets in the scan plus additional fingerprinting, the approach to interacting with the device is adjusted. This avoids altering the state of the device, and ultimately can permit “a final and full scan with accurate fingerprinting.”
What’s next?
For more guidance on this topic, listen to Episode 115 of The Virtual CISO Podcast with guest Huxley Barbee from runZero.