ICS Vulnerability Management Explained: Risks, Realities, and Best Practices

Weekly, if not daily, the Cybersecurity and Infrastructure Security Agency (CISA) releases a new ICS Advisory, notifications of vulnerabilities impacting Industrial Control Systems (ICS). From hacktivists shifting their methodologies to cyber espionage groups, threat actors increasingly target critical infrastructure. In a recent hearing, experts noted that cyber espionage efforts by state-sponsored groups continue to threaten critical infrastructure, yet most organizations continue to rely on damage control strategies rather than implementing proactive security programs. 

While not all ICS falls under the umbrella of critical infrastructure, these technologies are almost universally incorporated into these highly targeted industries and the organizations across their supply chain. Problematically, ICS environments were traditionally protected by isolating them within networks that had limited external connectivity. Today, those protections are no longer practical as operational technology (OT) environments require connectivity across internal networks and access to the public internet. 

Securing modern ICS environments is both more critical and more difficult than ever. As IT and OT environments converge, organizations need to understand ICS vulnerabilities while navigating challenges like asset visibility gaps and the constraints of traditional vulnerability scanners. 

What Are ICS Vulnerabilities?

Industrial Control System (ICS) vulnerabilities are security weaknesses across the hardware, software, and networks that monitor and control industrial processes, like manufacturing, energy, and water treatment. These vulnerabilities can arise from various issues, including:

• Outdated systems that lack modern security features.
• Insecure protocols that were designed before cybersecurity was a concern.
• Misconfigurations in devices, networks, or access controls.
• Software and firmware flaws, like insecure code or unpatched vulnerabilities. 

Attackers can use these vulnerabilities to disrupt physical operations and damage equipment. Further, as people often engage in hands-on interactions in OT environments, an attack can cause physical harm. 

Why Does ICS Vulnerability Management Matter?

With modern industrial systems connecting to the internet, effective ICS vulnerability management is critical to reduce environmental damage, economic loss, and national security risks. Addressing ICS vulnerabilities enables organizations to:

• Prevent downtime: A single exploit can halt production and cost millions in lost output. 
• Protect safety: Vulnerabilities can be exploited to cause accidents that injure people or damage the environment.
• Avoid physical damage: Cyberattacks can destroy expensive equipment that can’t be replaced quickly.
• Defend against nation-state threats: ICS is a prime target for geopolitical sabotage and critical infrastructure disruption.
• Maintain compliance: Many industries have regulations that require proactive vulnerability management.
• Preserve reputation: A public ICS breach erodes trust with customers, investors, and regulators.
• Limit attack surface: Regular management removes easy entry points before attackers find them.
• Ensure business continuity: Keeps critical operations running even in the face of cyber threats.

What Is the Difference Between IT and ICS Vulnerability Management?

IT and OT vulnerability management have different priorities and challenges impacting organizations’ ability to identify and manage security weaknesses. These differences fall into the following categories:

• Core assets: While IT environments incorporate traditional assets like servers, workstations, databases, enterprise applications, and networking gear, ICT systems include programmable logic controllers (PLCs), remote terminal units (RTUs), SCADA systems, sensors, actuators, and human-machine interfaces (HMIs).
• Security priorities: While IT systems emphasize data confidentiality, OT systems prioritize the physical safety, system reliability, and operational continuity.
• Processes: While IT vulnerability management focuses on regular patching, OT vulnerability management requires tailored approaches to prevent operational disruption. 
• Connectivity and Protocols: While IT environments use standard protocols designed with security in mind, ICS systems use specialized industrial protocols that lack encryption and authentication. 

Why Do Organizations Struggle to Manage ICS Vulnerabilities?

Managing ICS vulnerabilities presents unique challenges as traditional IT tools and monitoring impact the operational and connectivity requirements that these environments have. 

Lack of Asset Visibility

ICS and OT assets often rely on proprietary protocols that traditional vulnerability scanners are unable to manage. When IT asset and vulnerability management tools scan networks, they review the network traffic for specific indicators related to known device types. However, their inventories can fail to identify the protocols used in ICS systems.  

Inability to Prioritize Vulnerabilities

Conventional vulnerability risk scoring approaches, like the Common Vulnerability Scoring System (CVSS), reflect risks arising in IT environments without considering the unique issues associated with OT environments, including:

• Device design
• OT network environments 
• Vulnerability’s impact on device performance
• Evaluation of patching on human safety

Ultimately, by not accounting for the unique issues around ICS systems, these scoring rubrics become more of a burden than a benefit. 

Operational Risks from Standard Vulnerability Scanners

Traditional IT vulnerability scanners can disrupt operations since the ICS systems are unequipped to handle the probing common in active scanners. Some examples of potential issues include:

• Device sensitivity: ICS devices can crash if they receive unexpected network traffic. 
• Unintended state changes: Scanners that send test commands can inadvertently change configurations because the protocols lack authentication. 
• Legacy systems: Older systems may run unsupported operating system (OS) versions, which can lead to false positives when the organization has compensating controls in place. 
• Process impact: Scanners can consume bandwidth on the ICS network, delaying legitimate traffic in time-critical operations. 

Best Practices for ICS Vulnerability Management

As threat actors increasingly target ICS systems, organizations need to build proactive vulnerability management programs that focus on maintaining operations. As part of these initiatives, they should consider solutions that respond to the unique challenges ICS systems have. The following best practices can help guide organizations as they mature their ICS vulnerability management processes. 

Implement a Passive Scanning Solution

Passive scanning technologies enable organizations to identify all OT devices and technologies while limiting operational impact. When looking for a solution, organizations should consider its ability to build accurate device profiles that include:

• Operating system
• IP address
• MAC address
• Port numbers
• Hostname
• Version number

Further, the solution should allow organizations to identify security weaknesses while correlating across various data points, including:

• Devices containing vulnerabilities.
• Threat actors’ ability to use the insecure devices in an attack.
• The impact that an attack on those devices would have on operations and human safety.

Incorporate Threat Intelligence for Prioritizing Remediation Actions

To manage the high volume of ICS system vulnerabilities, organizations should incorporate meaningful threat intelligence focused on the devices connected to their networks. To identify the highest risk vulnerabilities, organizations should consider solutions that allow them to prioritize actions by aggregating and analyzing:

• Manufacturer-supplied security data
• Open-source software components
• Vulnerability criticality
• Current attack methods that exploit the vulnerability

Implement Targeted Segmentation

Targeted segmentation is a network segmentation technique that aggregates devices based on their potential attack vectors. For example, by using the MITRE ATT&CK framework as a base, organizations can place the ones that share an exploit vector on the same network segment, then implement appropriate mitigation techniques mapped to attacker tactics, techniques, and procedures (TTPs). 

When looking for a solution to help implement targeted segmentation, organizations should consider their ability to:

• Analyze and understand all OT devices, including their configurations, connectivities, and neighbors. 
• Identify potential attack vectors related to the different devices.
• Identify the simplest remediation option. 

For example, patching an OT device may not be the simplest or most viable vulnerability remediation activity. The risk mitigation strategy that provides the most security with the least effort might simply be blocking port access across all devices impacted by a specific vulnerability. 

Implement Secure Configurations and Monitor for Drift

Implementing a known good configuration for devices in the ICS system enables organizations to mitigate security risks. A well-planned configuration strategy reduces manual tasks and operational costs while limiting potentially malicious access to the devices. Some considerations for implementing these controls include:

• Implementing robust authentication, like changing default credentials or allowing for multi-factor authentication (MFA). 
• Configuring a secure boot function.
• Pushing out over-the-air (OTA) firmware updates. 
• Recommending device service and network connectivity settings to limit communications. 

However, since devices in an ICS system can easily drift from this known good configuration, organizations should consider solutions that help maintain compliance, even when installing security patches or updating a firmware version leads to drift. 

When looking for a configuration management automation solution, organizations should consider whether it enables them to:

• Set configuration variances that trigger alerts.
• Document when and how a configuration changed. 
• Classify configurations into risk-based categories that reduce alert fatigue. 

Asimily: Automating ICS Vulnerability Management

Cyber threats against OT will continue to evolve, especially as organizations continue to deploy more devices within their environments.

Asimily is a trusted technology partner for securing industrial operations. Our comprehensive platform is designed to meet the unique needs of OT security, such as continuous flow processes and uncommon device protocols. With Asimily, you get targeted protection and continuous, safe monitoring of your entire environment. Asimily’s inventory and vulnerability detection capabilities are built to monitor traffic to and from OT equipment and proactively identify issues.

Interested in learning more? Check out our platform overview.