Authenticated vulnerability scanning in OT environment
Most technical people and researchers are saying that implementing vulnerability scanning in an Operational Technology environment is not a feasible thing due to specific equipment limitations. So, what can be done to identify open vulnerabilities?
This is a real fact because a large part of the energy distribution network is using PLCs and other assets connected via ethernet which could become unstable or worst completely freeze when they are scanned for open ports or OS discovery.
On the other hand, without having a clear picture of the landscape and exiting open gaps due exposed vulnerabilities could create a perfect entry gate for medium skilled attackers who can easily exploit some of them and gain access to critical control equipment.
So, what can be done to identify open vulnerabilities?
The first thing is to find a way to perform a proper discovery scan to identify any connected devices. This can be accomplished using two different approaches, depending on technical possibilities:
The first option is to analyze network traffic using a RSPAN port.
This method of discovery is a safe option and has no impact on the production environment. The downside is that this approach may miss some assets which communicate rarely and the gathered information is also limited. The identifiable vulnerabilities only include basic categories like cleartext protocols, misconfigured assets and such.
The second option is to configure a very light and limited vulnerability scan profile.
The discovery scan profile should be configured to be as light as possible, throttling the number of packets sent to a maximum 1 packet per second. This also includes ICMP packets. The TCP scan packets should perform the full TCP handshake (3-way handshake) and TCP SYN scan only should be avoided. The scanned TCP port list should be small (no more than 2-4) and be performed only on management services like SSH, Telnet, HTTP, HTTPS to prevent asset lockup. UDP ports should not be scanned.
This method maybe still lockup or freeze devices and pilot tests in a testing environment is recommended to be performed.
The next phase, based on the gathered information from the initial discovery, is to perform a scan with a technique called “banner grabbing”. This can be used to retrieve the version of the management services running on the assets. This can be compared to vulnerability databases online to determine the existence of vulnerabilities.
Some scanners may allow authenticated scanning which could be performed on some assets. Due to the large numbers of manufacturers and embedded OS versions this may not prove that useful since OS information gathering integrations will be limited. This method will prove useful for IT assets used in the OT infrastructure.
For the purpose of authenticated scanning a central AAA system (Authentication, Authorization, Accounting) is recommended to be used like Active Directory or LDAP. The vulnerability scanning tool should use its own credentials with specific rights and auditing.
After performing the above steps, the scanned assets can be grouped in 3 categories:
- Category 1 – assets allowing only RSPAN discovery scan (sensitive equipment)
- Category 2 – assets allowing banner grabbing scans (most of the assets)
- Category 3 – assets allowing authenticated scanning (most of the IT assets used in OT)
Upon conducting these scans, a clearer picture of the environment should be available and technical measures to close the discovered security gaps should become more obvious.
PHOENIX Project is developed exactly for this scope, to cyber-fortify the European EPES infrastructure by enabling and coordinating advanced, adaptive, and cooperative detection of large scale, cyber-human security and privacy incidents and attacks.
Using coordinate European EPES cyber incident discovery, response and recovery and Incidents’ Information Sharing platform (I2SP) it acts at pan-European level as a decentralized, trusted-by-design near real-time cybersecurity information awareness platform, coordinating the information exchange among authorized EPES stakeholders, utilities, CSIRTs, ISACs, CERTs, NRAs, and the strategic NIS cooperation group.
Author: Cătălin Săcalian – Cyber Security Vulnerability Management SOC/CSIRT – Delgaz Grid