Blog

“You Mean I have to Do My Assessment Again?” No one wants to be asked that question, but it is one being increasingly asked more often today. Many companies have completed vulnerability assessments of their process control environments, and some action taken. But as the industry continues to become more aware, and standards efforts such as ISA-99, NERC CIP, and NIST 800-53 take hold in industry, many are again scratching their heads to understand if they uncovered enough of the cyber risks to the organization.

“Turn off all these unauthorized ports, patch your systems, put virus protection on everything.” “Let’s close down this OPC stuff through the firewall…we don’t even know what that is!” “Our problems are all physical in nature and we don’t have an external cyber security threat” These are but a few of the statements you may have heard, and then thought, “Are we SURE we aren’t missing something?”

The tools exist today to verify the technical disposition of industrial components, but this functionality doesn’t come from IT and doesn’t come from commonly available tools. Sure tools such as Nessus, nmap, xprobe, amap, p0f, and others are very useful, but their usefulness is limited in analyzing industrial components on Ethernet. Utilizing tools such as Achilles, that have the distinct advantage of not only being able to test the controller itself but also the I/O that connects to a controller, vendors and asset owners no longer have to guess what the failure modes are, they can now see it clearly.

Wurldtech has numerous examples where previous assessments have been conducted and the results are questionable. Some companies have completely re-done their assessments multiple times, still hoping to gain meaningful insight. This move is questionable, as there usually isn’t anything wrong with previous assessments, they just may not contain enough visibility into the industrial components.

The good news is that the tool to KNOW these problems are now available to the public and can be incorporated as part of any evaluations. The good news is that you do not have to completely redo your assessment; it is entirely possible to commission targeted studies to fill in any remaining gaps.