Authenticated vulnerability scanning in OT environment

Written by PHOENIX project on 25. 06. 2022.

Most technical people and researchers are saying that implementing vulnerability scanning in an Operational Technology environment is not a feasible thing due to specific equipment limitations. So, what can be done to identify open vulnerabilities?

This is a real fact because a large part of the energy distribution network is using PLCs and other assets connected via ethernet which could become unstable or worst completely freeze when they are scanned for open ports or OS discovery.

On the other hand, without having a clear picture of the landscape and exiting open gaps due exposed vulnerabilities could create a perfect entry gate for medium skilled attackers who can easily exploit some of them and gain access to critical control equipment.

So, what can be done to identify open vulnerabilities?

The first thing is to find a way to perform a proper discovery scan to identify any connected devices. This can be accomplished using two different approaches, depending on technical possibilities:

The first option is to analyze network traffic using a RSPAN port.

This method of discovery is a safe option and has no impact on the production environment. The downside is that this approach may miss some assets which communicate rarely and the gathered information is also limited. The identifiable vulnerabilities only include basic categories like cleartext protocols, misconfigured assets and such.

The second option is to configure a very light and limited vulnerability scan profile.

The discovery scan profile should be configured to be as light as possible, throttling the number of packets sent to a maximum 1 packet per second. This also includes ICMP packets. The TCP scan packets should perform the full TCP handshake (3-way handshake) and TCP SYN scan only should be avoided. The scanned TCP port list should be small (no more than 2-4) and be performed only on management services like SSH, Telnet, HTTP, HTTPS to prevent asset lockup. UDP ports should not be scanned.

This method maybe still lockup or freeze devices and pilot tests in a testing environment is recommended to be performed.

The next phase, based on the gathered information from the initial discovery, is to perform a scan with a technique called “banner grabbing”. This can be used to retrieve the version of the management services running on the assets. This can be compared to vulnerability databases online to determine the existence of vulnerabilities.

Some scanners may allow authenticated scanning which could be performed on some assets. Due to the large numbers of manufacturers and embedded OS versions this may not prove that useful since OS information gathering integrations will be limited. This method will prove useful for IT assets used in the OT infrastructure.

For the purpose of authenticated scanning a central AAA system (Authentication, Authorization, Accounting) is recommended to be used like Active Directory or LDAP. The vulnerability scanning tool should use its own credentials with specific rights and auditing.

After performing the above steps, the scanned assets can be grouped in 3 categories:

Category 1 – assets allowing only RSPAN discovery scan (sensitive equipment)
Category 2 – assets allowing banner grabbing scans (most of the assets)
Category 3 – assets allowing authenticated scanning (most of the IT assets used in OT)

Upon conducting these scans, a clearer picture of the environment should be available and technical measures to close the discovered security gaps should become more obvious.

PHOENIX Project is developed exactly for this scope, to cyber-fortify the European EPES infrastructure by enabling and coordinating advanced, adaptive, and cooperative detection of large scale, cyber-human security and privacy incidents and attacks.

Using coordinate European EPES cyber incident discovery, response and recovery and Incidents’ Information Sharing platform (I2SP) it acts at pan-European level as a decentralized, trusted-by-design near real-time cybersecurity information awareness platform, coordinating the information exchange among authorized EPES stakeholders, utilities, CSIRTs, ISACs, CERTs, NRAs, and the strategic NIS cooperation group.

Sources:
Author: Cătălin Săcalian – Cyber Security Vulnerability Management SOC/CSIRT – Delgaz Grid

Cookie	Type	Duration	Description
__cfduid	1	1 month	The cookie is set by CloudFare. It is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_wpfuuid	0	10 years	Contact form UUID (Universally Unique Identifier) cookie. It allows the plugin to connect entries by the same user and does not contain or represent any personal information or entry details.
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
test_cookie	0	11 months
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. It is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.
_gat_gtag_UA_152331303_1	1 minute	Google uses this cookie to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. It is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

Authenticated vulnerability scanning in OT environment

Energy Shield

BRIDGE

Success

Defender

NRG-5

sofie-logo

Elsa

interflex

Intergrid

NobelGrid

PROMOTioN-Logo-RZ-RGB

logo_reserve_sRGB

wisegrid-logo