With the increase in intelligent devices and networks, it’s not possible to effectively manage and protect your OT environment, without automated asset management capability.
ProjectBinder’s vulnerability assessment is designed to give you a foundational OT security level. This is done by providing you with a detailed, actionable and visual overview of your OT Environment.
The benefits of our vulnerability assessment can be broken down into 4 categories.
- Asset Management
- Threat Detection
- Vulnerability Management
These benefits are described in detail in the following.
Automatic real-time monitoring of anomalies in your OT environment. ProjectBinders expert will filter away false-positives.
OT Security Consultancy
On-demand consultancy on OT Security.
Malware scanning in a lab environment.
Asset Identification and Management
It is difficult to protect what you don’t know you have. Therefore asset identification in the OT environment is a great place to start with your OT Security efforts.
Identifying your assets will enable you to build an asset inventory that includes every sensor, valve, HMI, etc. within the production networks. This should be done so that you have 100 % coverage of your assets, which is a necessity for full OT security in critical infrastructure.
By scanning your OT network we are able to identify all your assets, configurations and the protocols they run. Even legacy devices are identified.
We can do this ‘passively’ or ‘actively’.
Passive Scanning of the OT Environment
Passive scans are the gold standard of OT vulnerability assessments. This is due to the critical nature of the OT environment, which require constant uptime.
When ProjectBinder scans the OT networks will place vulnerability sensors on strategically important network locations to get full coverage of your OT environment.
These sensors will listen to the network traffic, and based on this we will be able to reverse-engineer the used communication protocol (i.e. Modbus, PROFINET). Hereafter we will be able to identify all active network assets (PLCs, RTUs, HMIs, Workstations and Servers).
These identified assets will then be validated against proprietary and public vulnerability databases. The result will be given to you in an actionable report and compliance ready (NIST / IEC) format.
Active Queries of Network Assets
Our passive scanning falls short in networks that are not communicating often as it will be impossible to detect what is not being communicated in the network.
Therefore our vulnerability assessment holds the option of active querying to discover assets in the network. This is done using several approaches.
The approach starts with querying chosen sections of networks to discover if assets are connected, but haven’t communicated yet. When assets have been found we use native and proprietary protocols to get additional information about them such as model, state, firmware version, configuration, and more.
By using native and proprietary protocols we will add no or minimal risk to the OT environment as we use the vendor-approved methods i.e. we communicate with the asset as the vendor designed the asset to communicate. We will only query assets that have been validated to answer our query and validated to be queried at all.
Based on our scan of all the assets in your OT environment and their communication we can provide you with extensive visibility of your operational technologies.
Your OT networks will automatically be mapped and virtually segmented into virtual zones of logical clusters. The virtual zones are groups of assets that would communicate with each other under normal circumstances.
Having your network segmentation will increase your options of managing your OT security.
The new virtual zones will help administrators to understand how assets operate within the OT environment. Virtual zones are therefore a great aid for designing and architecting logical or physical network segmentation.
If you choose to continue with ProjectBinders permanent monitoring solution we will be able to implement a virtual segmentation scheme that can be used to highlight and prioritize alerts that may arise from potential malicious communication between the virtual segments of your network.
The alerts are automatically defined for each asset based on its placement in the virtual zones, which could also be changed manually.
Several different approaches are used to detect threats in your OT networks, which provide a full spectrum threat detection.
We will scan for pattern changes i.e. anomalous behaviour in your network communications. Information on your OT assets and their protocols are key in detecting anomalous behaviour – along with the knowledge about your virtual zones.
Sometimes attackers will assimilate your operational behaviours, which would make it difficult to detect this behaviour as anomalous. Therefore our analysis needs to dig deeper to analyze the specific OT operations e.g. configuration download/upload.
We can identify previously known threats as well as techniques used by attackers by comparing your OT networks against databases of known incidents of compromise and known attacking techniques.
It is also possible to set up our own custom rules to detect and identify specific events or communications.
All assets found in the OT environment will be compared to a database of insecure protocols, configurations, and other vulnerabilities, as well as to the latest CVE data.
Based on this, you are given a prioritized list with actionable insights to improve your OT Security.
Furthermore, you will be given an analysis of the most likely scenarios an attacker could use to compromise your OT environment – along with recommendations.
This feature will help you to identify, prioritize, and fix vulnerabilities in an effective manner.
Vulnerability Assessment Models
ProjectBinder engineers can perform vulnerability assessment in different ways. The methodology will affect the price, timeline and result of the final assessment.
The Off-site Vulnerability Assessment with PCAP data consists of an analysis of your network traffic which would be collected during a short time span e.g. 1 hour.
We will be analysing your network traffic captured by a client in the PCAP file format. Our network engineers will guide your organization in the setup process from the distance.
- Time efficient.
- Very fast feedback, because data is collected within a short time span.
- No administrative overhead as the customer will do the setup.
- You can test and experience ProjectBinders methods and software
- Quality of captured data can be limited, thus having limited results.
- Required manual work from the client.
In an on-site assessment within a production environment, we perform a vulnerability analysis with a live environment. Network sniffers will be installed to collect data during e.g. 1 week or 1 month.
- Highest quality of data.
- Real vulnerabilities will be found (if present).
- Long term install, which provide better value of data.
- Difficult to change equipment settings (changes need to go through a change process).
In an on-site assessment within a lab environment, we perform a vulnerability analysis with isolated live equipment.
- Easier to perform than within a live environment.
- Medium amount of administrative overhead.
- Possibility to change equipment settings on the fly (manageable).
- Test attack scenarios against equipment.
- Limited amounts of equipment in the lab environment will give limited test result
Performing a vulnerability assessment in the OT environment requires planning, the definition of scope and a pre-execution phase to make sure that it is done correctly.
The specific setup will depend on the type of vulnerability test
Before starting the vulnerability assessment it is important to plan it for your individual case. The rules and regulations for your specific sector need to be adhered to. Furthermore, it depends on the sites you run as well as the type of vulnerability assessment you choose.
- Exchange of NDA’s
- Agreement on the type of installation.
- Agreement on the schedule.
- Request for information.
- System & network layout analysis.
It is important to settle on which networks and devices should be part of the assessment and installation as the end-results depend on this, as well as the cost of the installation.
- Which devices/networks are part of the scope?
- What results can be expected?
- What is considered a success?
For the vulnerability assessment to be executed we need to install hardware that we will ship to you if needed. We could also run the installation on-site, which depending on the industry could require mandatory onsite training or certifications.
- Packaging the requirements for the execution.
- Requesting changes
The assessment phase includes the setup, test and execution of the vulnerability assessment.
- Setup of scan environment.
- Limited functionality test.
- Full test (days or weeks).
You will get a full overview of the findings in the vulnerability assessment. It will be hands-on and actionable.
- Vulnerabilities discovered with CVE reference and score.
- Detailed network layout and potential security gaps.
- A list of systems and devices found vulnerable.
- Detailed mitigation steps.