Vulnerability Management End User Challenge - ICS Device Risk

Many companies have benefited greatly from rapid IT infrastructure changes to enhance a their overall capabilities and operational efficiency. By their very nature, companies operating Industrial Control Systems (ICS) - commonly considered Operational Technology (OT) - strive to derive value and tangible returns from investments made to support their company operations and to facilitate ongoing growth. Demands to perform and produce have never been greater, and today’s hyperconnected world serves to elevate the importance for companies to gain meaningful and measurable value from their transformative investments. This is especially true where digital and physical systems used across industry are intertwined and linked via technologies with wired and wireless network pathways.

It is still commonplace for some industries and their constituent member companies’ ICS to remain locked into an antiquated past. ICS continuously operating on a 24x7 schedule may have hardly changed in their designs over years. The reason comes as no surprise to those familiar with ICS.  However, for others with an IT-oriented viewpoint where technology life is sometimes measured in months, not years, a commonly asked question is why is ICS so different?

• The physical and mechanical assets in use continue to reliably work without fail in their existing environment.  
• These same assets and their parent systems may continue to operate far beyond their originally intended digital and physical lifespans.  
• For some mission-critical operations, failure is simply never a viable option.
• Once started, the notion of unproductive downtime is equally undesirable, if not  unacceptable.

Consider the ongoing advancements in digital technologies for the benefit of an ICS; Data collection and external connectivity to improve operational uptime, maintenance efficiency and specific regulatory demands have led to changes in the digital control platforms that operate the physical and mechanical assets. Recognizing these benefits requires careful exploration into cost/benefit as a re-investment may require years to recoup. Regulation and safety will force change, but other factors will resist change to ensure risk aversion to a steady financial return and delivery of service inadvertently invoked by the change.

• The capital investment costs necessary to move from design, through installation, and finally to continuous operations alone can take many years or decades to recover.
• Continuous production is a requirement to offset sunk costs.
• System maintenance and upkeep costs are profit detractors but must be accommodated to ensure equipment availability and uptime so that financial/service targets are met and maintained. 

Cybersecurity risk management has become yet another factor to consider for ICS. Vulnerabilities are found in these devices and the attacks against these devices are real, threatening our ability to safely operate our facilities. This has led to competing ideologies in the boardroom to balance requirements of core business investments.

With the acknowledgement of cybersecurity threats to ICS, many tools have emerged in the market to assist end users to improve their defenses around established investments and installations against evolving threats. In addition to tools, more disciplined processes that include continuous improvement mechanisms have grown in popularity since such approaches deliver measurable value, to reduce risks and accelerate a host of other dynamic business objectives and requirements.  

A Vendor Perspective

Many embedded product manufacturers, whether their products are destined for consumers or for light or heavy industrial applications, have begun to:

• Expand security in their product’s capabilities as these are supplied to their customers.
• Formal approach toward the application of a Secure Software Development Life Cycle (Secure SDLC) model 
• Explore involvement with the generation and management of a Software Bill-of-Materials (SBOM).

These improvements are welcomed and applauded since it serves both the manufacturer and the end-user alike.

The Challenge to an ICS End User of an ICS 

Between the relatively early adoption ICS vendors have taken to implement a Secure SDLC process and end users calculated fiscal decisions to adopt new technology, two areas are contributing to the slow adoption of security controls in ICS:

• Gained improvements made by ICS vendors must be adopted by end users pitting them against managing the capital investment and operating costs of a previous, stable installation and move to a new, unproven installation.
• An ICS is a compilation of many embedded product technologies spread across multiple vendors and vendor product lines. Improved security capability adopted by one vendor does not inherently mean that the entirety of the environment will recognize the same, or desired, risk reduction benefit.

This is especially true within an ICS where it is still commonplace for unique technologies and products to still hold their place as critical potential single-points-of-failure capable of singlehandedly disrupting operations of even the largest of systems.

How do end users understand and manage risks across the breadth of technology within their ICS devices?

Initiated many years ago, end users increasingly demanded greater security visibility into their ICS that operate their environments. Naturally, common servers and workstations have been an obvious starting point as they greatly share the same technologies as found in the IT domain. Discovery and identification of the devices operating within the ICS networks was not far behind, in which the market has produced viable options. Today we are on a path to understand more about the risks of the internal operations of these embedded devices and their use within an ICS.

Recent discussions of the benefits of creating and maintaining a Software Bill-of-Materials (SBOM) has brought to light that for an embedded device-level SBOM, that was only going to be achievable if being produced and managed by the vendor. Some, if not all, vendors will likely deliver some form of an SBOM for the industry, but unless all vendors do so ICS end users will not fully achieve the device coverage visibility they require for their multi-vendor environments.

It’s equally important for these same system owners to have the capability to obtain SBOM visibility into older, sometimes even end-of-life devices running in their environments. They must also be able to gain insights into devices supplied by both large and small vendors as the risk and criticality is not directly aligned to vendor size or technology.

This is where NetRise can play a role in filling the gap that exists in today's ICS environments:

• Continuously monitor for known and newly discovered vulnerabilities and risks of other components and artifacts
• Greatly reduce the incident response or vulnerability timeline (i.e. log4j, heartbleed, etc.)
• Gain the ability to query data and understand the true risk associated with a device

• Improve security controls, with the ability to prioritize based on knowledge and contextual risk

By today’s measures, IT and ICS are separate yet connected worlds, inextricably linked, with designs that often look more the same, than different. Still, each carries specific operating objectives and priorities, and continues to evolve at distinct paces as each strives to best address dynamic business needs to unlock greatest value from technology investments. End users need to have equal visibility of the risk within all of their vendor devices, irrespective of the maturity levels of the vendors, stage of the product life-cycle or the environment in which they operate.