{"id":616,"date":"2022-09-21T08:26:30","date_gmt":"2022-09-21T08:26:30","guid":{"rendered":"https:\/\/inprotech.es\/?p=616"},"modified":"2025-02-17T10:48:37","modified_gmt":"2025-02-17T10:48:37","slug":"vulnerability-scanners-in-ot-networks","status":"publish","type":"post","link":"https:\/\/inprotech.es\/en\/vulnerability-scanners-in-ot-networks\/","title":{"rendered":"Vulnerability scanners in OT networks: a quick overview"},"content":{"rendered":"

The field of cybersecurity has a well deserved relevance into the operational design of any company or organization nowadays. While this is unanimously the case for Information Technology (IT) environments, the case is more complex when dealing with industrial settings, in what is called Operational Technology (OT). In this short overview, we illustrate this with a quick dive into the topic of vulnerability scanners in the context of OT networks.<\/span><\/p>\n\n

Introduction<\/span><\/h2>\n

It is clear now, with one fifth of the XXI century already in our backs, that cybersecurity has become a critical aspect of the everyday life of companies, governments, organizations, and even citizens. Cyberthreats are clearly on the rise, with 2021 seeing an increase of 68 percent in data breaches with respect to 2020[1], and malicious users now having even more vectors of attack with the ever-expanding digitalization that the world is still experiencing. Compromising private data or hijacking devices, to name a few examples, are major threats that can potentially target everyone and cause great harm in the form of economic loss or personal distress, but they pale in comparison with an attack aiming to halt the normal operation of a water treatment plant, or a power station. When we move up to the industrial plane, even a single successful attack could in fact destabilize societies.<\/span><\/p>\n

This worrisome realization goes in hand with the arrival of the Fourth Industrial Revolution, that is turning factories into networks of agents interconnected via the Internet Protocol (IP), also accessible from the outside for monitoring and control. This breaks the main protection of traditional industrial control systems (ICS) in two ways: isolation and the usage of proprietary control protocols[2]. In this regard, industrial plants are now vulnerable to the plethora of attacks known in IT environments, and oftentimes the typical solutions are not so easily implemented due to the more complex nature of OT networks.<\/span><\/p>\n

And the trend is, in fact, that cybercriminals are widening their focus to include OT targets. Since 2010, when the infamous and highly sophisticated <\/span>Stuxnet <\/span><\/i>worm infected an Iranian nuclear facility in Natanz, damaging the centrifuges and delaying the national nuclear program, the number of cyberattacks on OT systems are far from an extraordinary occurrence. In fact, according to the <\/span>2021 State of Operational Technology and Cybersecurity Report <\/span><\/i>by Fortinet, more than 6 out of 10 organizations experienced three or more intrusions in their systems in 2021, and only 7% reported none[3].<\/span><\/p>\n

\"\"
Image 1. Number of intrusions in the last three years as reported by OT managers. Data extracted from Ref. 3.<\/span><\/figcaption><\/figure>\n

 <\/p>\n

Vulnerability scanners<\/h2>\n

As we mentioned before, the methods applied to protect an OT environment are different from the ones designed for IT, which is somehow conflicting with the current path of OT\/IT integration driven by the Industrial Internet of Things (IIoT). Despite the endless possibilities that this technology enables (in terms of efficiency, security, and self-management), it is also undeniable that under this framework every OT element is a potential liability.<\/span><\/p>\n

Last 2019, the Cyber Independent Testing Lab (CITL)[4], a non-profit organization with <\/span>\u201dthe mission of advising software consumers through expert scientific inquiry into software safety\u201d<\/span><\/i>, presented a survey finding that more than 6,000 firmware versions from 18 vendors showed little to no improvement in security in the span of more than a decade (2003-2018)[5]. Moreover, there are several other ways in which OT\/IT integration might be problematic[6]: (i) lack of communication between IT and OT manufacturers and developers, (ii) large lifespan of OT systems, without proper security updates, (iii) most OT systems are required to function on a 24\/7 cycle, making it extremely cumbersome and\/or expensive to stop them in order to perform security updates.<\/span><\/p>\n

The strategy is, then, to use those security tools developed for IT systems but tailoring them so that they become useful (or, at least, not harmful) when given the task of looking at a modern ICS network. One of the main cybersecurity tools used in IT are vulnerability scanners, a set of computer programs designed to test systems against known weaknesses, such as those collected in the CVE list (<\/span>Common Vulnerabilities and Exposures<\/span><\/i>) by MITRE[7]. Roughly speaking, one can split these scanning techniques in two categories: passive or active, depending on the level of engagement between the scanner and the scanned device.<\/span><\/p>\n

Active Scanners<\/h3>\n

Active scanners are a staple in the IT-security toolkit, and some are routinely used in all kind of systems as SaaS (Software as a Service). Nmap, and its faster alternative Zmap, are two ubiquitous and open-source network scanner tools. Some other bulkier options with more options and functionalities are Nessus, OpenVAS (an open-source fork of Nessus), or Metasploit. In their core, they relay on sending packets and monitoring the response. The problem when applying them on OT elements, such as Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisiton (SCADA) systems, or Process Control Systems (PCSs), is that they can interact unexpectedly with the scanning packets, causing all sorts of malfunctioning behaviour, compromising the operation of the network and even the integrity of such devices. Some techniques consist on sending on purpose corrupted data to the devices, and while an IT network can easily recover from such an interference, that is not the case in an average OT facility. Moreover, many industrial protocols are very sensitive to latency and require precise synchronization, so just a simple network scan can be enough to disrupt the system. Some real-life examples drawn from Ref.8:<\/span><\/p>\n