Cyber Vulnerability Assessment: What a Cyber Security Engineer looks for

Cyber Vulnerability Assessments give industry the opportunity to know where they may have weaknesses in their system.

Engineers who design solutions try to look at things with many lenses such as safety, but security is now another aspect that should be considered more than it used to be.

As someone who has made these assessments in the critical infrastructure space it has been interesting to take this birds-eye look at systems and considering the unique problems being faced in OT (Operational Technology) environments.

In this episode I look at a few of the major steps involved and as I go through them give ideas on what I could be looking for. Of course this is a more generic set of ideas and it will be more specific depending on each given site, but it is a good idea to be aware and think of how it can apply in your own environments.

I break it down to 3 main steps to answer:

1. Physical look and check of current state

What does it take to physically access equipment? Network equipment, computer systems and controllers. Interviews of different types of staff and analysis of existing documentation.

2. Vulnerability Scanning

A slightly more invasive look where we connect to the system and run scanners, check some network basics, system versions, access etc.

3. Digesting of information

Breaking down what's been learned, interview answers, physically seen and results of the scans.

The purpose of summarizing the steps in this manner is to help break down the process to be easy to digest. For completeness, if running this as a project you would have additional steps prior and after to what is highlighted above.

To guide these steps the NERC-CIP provides the framework necessary for undertaking the process. These are immensely more detailed and explains why these are not cheap and quick exercises.

Before looking at some key things I'll add that the extreme care and domain expertise is needed when performing in an OT environment. I've written before on the differences between an IT environment and OT environment but it is important to note that invasive checks on any running plant is potentially harmful and may be dangerous.

What might a Cyber Security Engineer find when performing a Cyber Vulnerability Assessment?

1. Missing patches

Patches are simple fix but there are always things out of date.

2. Rogue network devices

You can sometimes find rogue network devices that were previously undiscovered or they were a "temporary" device for a special circumstance but they were never decommissioned.

3. Lack of awareness

Getting eyes on the situation is important. Sometimes the security can be decent but there can be improvements in additional logging.

4. Inconsistent configuration

Variance in configuration between similar devices means a breakdown somewhere. Either in defining, the implementation or change management.

5. Secret WiFi

It is easy enough for someone to connect a small 3G or 4G mobile modem to provide a connection for the purposes of remote maintenance and support. Or it maybe an extension of a network to reach somewhere that would require significant cabling. This extension could be accessed in more places than expected.

6. Only the security person cares about security

It is not always evident that there is a culture that embraces security in places and in some cases there's a negative view on it.

That's just a few takeaways one might find but there are definitely plenty others and in different circumstances you get a change in what comes up. But there is a pattern. The first is it starts from the top. Without buy in from the top nothing really, really happens. So this needs to happen.

Sometimes if you can satisfy a requirement and request a CVA the outcome is a report. This report is sometimes used to build a business case that there are weaknesses in the system that need to be addressed.

There is an abundance of information now on cyber security and what you should and shouldn't be doing. And you might be wondering if you have secure systems in place and maybe you do or maybe you don't but what I would say is not to get caught up on arbitrary measurements.

Just because you haven't been attacked doesn't mean your security is good. And just because you don't believe you are a target it doesn't mean you should leave things to chance.

Control what you can control.

To do this step one is to understand where you are, clarify what are the weaknesses in the first place and get buy in that if a system is mission critical that the company should at the very least consider it and become aware.

And a Cyber Vulnerability Assessment might just be what the doctor ordered.