{"id":1811,"date":"2024-11-05T09:21:19","date_gmt":"2024-11-05T09:21:19","guid":{"rendered":"https:\/\/inprotech.es\/?p=1811"},"modified":"2025-02-17T10:28:41","modified_gmt":"2025-02-17T10:28:41","slug":"vulnerability-scanner-in-ot-networks","status":"publish","type":"post","link":"https:\/\/inprotech.es\/en\/vulnerability-scanner-in-ot-networks\/","title":{"rendered":"Vulnerability scanner in OT networks"},"content":{"rendered":"

A vulnerability scanner is a piece of software whose role is to make an inventory of assets within a network, and to carry out more or less automated probes within these to detect vulnerable applications, resources or systems. It is, therefore, a non- negotiable part of the secure software development life cycle (SDLC)<\/span>a<\/span>. An authoritative definition of vulnerability, in the context of software development, is that given by the American National Institute of Standards and Technology, NIST:<\/span><\/p>\n

\u00abA weakness in the computational logic (for example, in the code itself) of software and hardware components that, if exploited, would lead to a negative impact on confidentiality, integrity or availability. Mitigation of vulnerabilities in this context typically involves code reviews, but also changes in specifications or discontinuities (such as the withdrawal of entire protocols or functionalities)\u00bb<\/span><\/i>b<\/span><\/i>.<\/span><\/i><\/p>\n\n

Software development is a strongly community-oriented enterprise: much of the code written is produced with a public service vocation, and contains or uses code written by others. It is therefore desirable to maintain a publicly accessible, professionally curated list of all detected vulnerabilities, a task undertaken by the US in its role as the technological power of the 20th century. In 1999, MITRE, a non-profit corporation funded by several federal research and development centers, inaugurated the CVE (Common Vulnerabilities and Exposures) List. CVEs follow a naming<\/span><\/p>\n

system to uniquely identify a given vulnerability, which has the form CVE- 2022-001122. They also have a standardized publication system, or life cycle, that goes from the discovery of the vulnerability by a user to its publication on the list<\/span>c<\/span>. Years later, in 2005, NIST launched the NVD (National Vulnerability Database) with the idea of enriching the CVE List with additional information such as a numerical score of the vulnerability risk or the availability of patches. This standardization of vulnerabilities helps to promote the use of scanners, as it establishes a common language and confidence in the process.<\/span><\/p>\n

Both IT (Information Technology) and OT (Operational Technology) networks, where industrial networks would be found, need acceptable security standards to maintain their long-term operability, but their different nature means that the tools appropriate for one are not appropriate for the other. In addition to the fact that the protocols used in internal communications are usually different, the priorities to be maintained are very different in both cases: in industrial environments it is essential to maintain the continuity of production and any interruption in communications or availability of any node in the network can cause global shutdowns. This means that scans have to be carried out with much more care than in an IT network, where occasional downtime is accepted as normal.<\/span><\/p>\n

Given the importance of having a specific vulnerability management tool in the context of OT networks, at InprOTech we have developed tools to conveniently equip our InprOTech Guardian monitoring solution.<\/span><\/p>\n

InprOTech Guardiand is a cybersecurity tool designed and developed for industrial networks. Its main function is to monitor the traffic generated by the factory\u00a0 and\u00a0 analyse\u00a0 it\u00a0 based\u00a0 on\u00a0 a <\/span>combination of static, community and AI-powered rules, from which alerts can be deployed directly to plant managers and\/or operators and thus cut off any attack or malfunction that may be occurring. In addition to these main capabilities, InprOTech Guardian also offers its own vulnerability scanner, which allows them to be detected, visualised and managed in a comprehensive manner.<\/span><\/p>\n

\"\"<\/p>\n

<\/h2>\n

Development<\/b><\/h2>\n

A vulnerability scanner should be able, in general terms, to (1) obtain a list of the assets in the network, (2) detect vulnerabilities in them, (3) classify them and provide relevant information about them, (4) generate reports and statistics, and (5) manage these vulnerabilities. Below, we discuss these points in more detail, focusing on our approach:<\/span><\/p>\n

    \n
  1. Scanning assets in the network: <\/b>lists the devices present in an environment. This is one of the core functionalities of InprOTech Guardian, which allows obtaining an enriched inventory of the nodes present in the network in real time. In addition, administrators and operators can mark some devices based on their criticality for the operation of the network (critical devices will not be scanned to <\/span>avoid possible interruptions or alterations).<\/li>\n
  2. Vulnerability detection: <\/b>obtains information about the open services and ports, operating systems, firmware, installed on said non-critical assets. Using CPE (Common Platform Enumeration) tags, another standard that identifies software products plus their version, it obtains information on existing vulnerabilities from public databases such as NVD.<\/span><\/li>\n
  3. Classification and intelligence: <\/b>enriches the previous search with extra information that allows you to classify vulnerabilities by severity, a summary that explains the nature of the vulnerability in a few lines, and links to further investigate possible mitigations.<\/span><\/li>\n
  4. Generation of reports and statistics: <\/b>transfers all this data to a format that is easy for a human to read and process. Specifically, a list in csv format with the list of vulnerabilities and their most important properties, and in the application itself, general statistics (scan coverage, number of vulnerabilities by severity and general risk levels…), as well as those focused on the devices.<\/span><\/li>\n
  5. Vulnerability management: <\/b>the user can manage the status of the different vulnerabilities: active, resolved, silenced or false positive. In<\/span>addition, in the short term we will provide InprOTech Guardian with the ability to, using the valuable information provided by the vulnerability scanner, communicate with the network firewall to report the need to block certain connections in the event that a critical risk is detected.<\/li>\n<\/ol>\n

     <\/p>\n

    There are very mature solutions on the market that also offer these services from the great dominators in the field of cybersecurity, such as Nessus, Tenable’s OT scanner, or OpenVAS, from Greenbone. These two options dominate a large part of the market, but they are more focused on clients with sufficient size to have dedicated teams, capable of handling these very powerful but also complex tools with ease.<\/p>\n

    InprOTech Guardian offers the possibility of integrating the results of an external vulnerability scanner, for the moment with compatibility with Nessus and OpenVAS.<\/p>\n

    <\/h2>\n

    Benefits<\/b><\/h2>\n

    Although they have been discussed more or less extensively throughout this article, let us highlight the strengths of InprOTech Guardian’s Smart View as a vulnerability scanner:<\/span><\/p>\n