Critical Infrastructure Vulnerability Scanning
An Overview
Herb Myers

Overview

Cybersecurity is becoming part of our everyday conversation, especially for critical infrastructure. Hardly a day passes when we do not read or hear something about threat actors targeting or planning to target our critical infrastructure. While some threat actors are "for-profit," the more significant concern comes from nation-state actors.

Small-to-midsize utilities may assume they are not the biggest targets today but are the most likely avenues for distributed, large-scale disruption of our infrastructure. Therefore, understanding and implementing basic cybersecurity hygiene and building on that foundation will be of utmost importance over the coming years. Starting with and understanding vulnerability scans/assessments is a critical first step.

Please note that "vulnerability scan" and "vulnerability assessment" will be used interchangeably throughout this article.


Background

Cybersecurity for critical infrastructure was not quite in the public consciousness 10-15 years ago as it is today. The public would hear an occasional story about stolen OT-related information or disruptions in service but quickly moved on. Most cybersecurity professionals wrote the incident off as an outlier borne from bad policy or configurations.

This view is not entirely unfounded, as any veteran of OT cybersecurity can tell you. Everything from dual-homed workstation NICs, OT segments directly off the IT network firewall, or assets numbered with public IP addresses were once the norm. While most have moved beyond assigning public IPs directly, the issue with improperly segmented and secured networks persists.

Compounding the concern with critical infrastructure is overconfidence by some. Many will cite the lack of a successful breach "during my 20-year tenure" as a mission completed. Others proudly proclaim they are "air-gapped" and dust off their hands. The logical question is whether your organization can validate this self-assessment with either of these stances.

Today's environment for critical infrastructure demands the ability to validate, baseline, measure, correct, govern and report on your OT security posture. These demands come from your organization, paying customers, partners, insurers, and, increasingly, the Federal Government.


Problem Statement

Modern utility systems are more complex and interconnected than ever. Having your SCADA/OT system communicate with various ancillary services is no longer a luxury but a requirement. AMI, SMS/E-mail notification, Syslog, SNMP, SIEM, and SOC integration are standard components of a robust and resilient utility network. Adding to this complexity is that some of these services may require regular access to the public Internet to function correctly.

Presenting a robust public security posture must be where your organization starts. But just as important is your internal posture between network segments. A good starting point would be to implement a broad internal segmentation strategy with a hard delineation between OT assets and other organizational network assets (IT, for example). However, this does not mean that specific SCADA/OT cannot "talk" to IT resources or the public Internet. The correct approach is to ensure that all communications are documented, purposeful, specific, and granular.

Having an open yet secure OT infrastructure requires more diligence than ever. Regular vulnerability scans constitute a significant component of validating your overall public and internal security posture. The cadence with which an organization conducts vulnerability scans will vary depending on how fast your network changes, and there is no correct answer. However, as a guideline, public scans should be performed once a month and internal scans once a quarter.


What Is A Vulnerability Scan?

A vulnerability scan is performed by a particular piece of software that interrogates all IP-addressable devices within your network. Once these devices are identified, the software detects issues driven by a database of known vulnerabilities, assigns a risk score, and proposes resources to help address the problem.


What Type Of Information Will A Vulnerability Scan Produce?

A vulnerability scan will produce a robust report detailing all information and discovered vulnerabilities grouped by IP address. Even the smallest networks will generate hundreds of pages. Most will also show a visual "dashboard" or "scorecard" outlining the high-level health of your network.


A Vulnerability Scan Sounds Like A Lot Of Information To Digest

It is, and it can seem overwhelming. If your organization is just now starting a cybersecurity "journey," the report will likely paint a grim picture. However, remember that the report categorizes by IP address, so the problems can be broken down and addressed individually.


So I Should Address My Deficiencies Before Having A Vulnerability Scan?

Not necessarily, and it depends on what your goals are. Many organizations use vulnerability scans to validate the scope of the problem and justify budget forecasts. However, the ultimate goal is to put egos and feelings aside, roll up your sleeves, and be honest and purposeful about strengthening your security posture. In other words, don't be embarrassed by what the vulnerability scan may find, as it is the singular purpose of the exercise!


Can A Vulnerability Scan Disrupt My OT/SCADA Operations?

Yes, this is a possibility. Most scanners have a "safe" option that reduces the network load on OT devices and only looks for the most fundamental problems. Before scanning an OT network, one should understand all available approaches the vulnerability scanner offers to maintain operations and stability. An assessment, especially an initial one, should be performed in a maintenance window and configured using the least aggressive options supported.


Credentialed or Non-Credentialed?

Most vulnerability scanners allow for "credentialed" scanning. Credentialed scanning means you supply known-working usernames and passwords with full privileges to the scanner software. This allows for a more detailed assessment and carries an operational risk, i.e., the scanner could disrupt operations. Credentialed scanning should always be approached with caution on an OT network, but it should never be performed before:

1) A non-credentialed assessment
2) All items in the non-credentialed assessment have been addressed.
3) Your OT vendor(s) have been consulted.


Solution

We've covered that a vulnerability assessment is essential, public posture is most critical, but internal posture is almost equally so, and interpreting a raw vulnerability scan can be daunting. So what should your organization's next steps be?

As overused as this advice is, start and start today. The quicker you understand your risks, the faster you can address them, the more accurately you can report on your network, and the better you sleep at night.

Suppose your organization has the time and expertise to tackle this problem. In that case, you can purchase a copy of your favorite vulnerability scanner, start regular scans, and address the issues at a purposeful cadence. Unfortunately, time and expertise will likely be the most significant hurdles facing small-to-midsize operators.

From a practical standpoint, your organization may benefit by partnering with an organization familiar with vulnerability scans. Prior experience working with the unique challenges of OT networks will accelerate interpreting and categorizing scan results. In addition, developing an action plan to address and directly solve deficiencies can quickly add to a significant internal commitment. Finding the right partner will fast-track your organization's progress and provides an excellent baseline for continuing the process internally if desired. Lastly, quick turnaround on cleaning up your security posture eliminates network "noise" and makes passive monitoring solutions (like SCADAfence), or integrating with a SOC, much more meaningful.


Conclusion

Cybersecurity challenges facing critical infrastructure are not going away. However, as the complexity of OT networks increases, cybersecurity will scale mostly linearly with it. If your organization has not started a meaningful cybersecurity journey, begin with a comprehensive public vulnerability scan. The public Internet is global in scope and is where the threat actors operate. Ensure that your public-facing OT/SCADA security posture is up to the task!

Where is your organization on its cybersecurity journey? Has your organization performed a vulnerability scan in the past? Was your vulnerability scan performed in-house or by a third party?

Contact Electric Blue Consulting for a complimentary public vulnerability scan today!