OT-BASE includes various options for vulnerability management, the most important of which are explained in this article. Note that for the following discussion it is assumed that Asset Center is configured properly to automatically import vulnerability definitions and Microsoft patch data.
The CVE list
The CVE list lists known vulnerabilities for your installed base. You can limit the scope of the listing by expanding the scope pane and filtering for specific locations, device groups, networks etc.
By default, the table is sorted by CVE priority (Critical/High/Medium/Low) as the first sorting criterion and number of vulnerable devices as the second sorting criterion. You can re-sort the table by clicking on any column header.
The different columns have the following meaning:
- Priority: The priority of a CVE as assigned by a user (usually an analyst). By default, CVE priority is identical to its CVSS severity.
- Description: Start of the textual description of the CVE. For the full text, double-click on the entry to open the CVE profile.
- #Vulnerable: The number of vulnerable devices.
- #Affected: The number of affected devices. This includes devices for which the vulnerability is already mitigated.
- CVE ID: The identifier of the CVE with which it can also be found at NIST, MITRE, etc.
- Severity: The severity of the CVE as assigned by MITRE.
- BASE Score: The CVSS base score of the vulnerability.
- Published: The date when the CVE was published.
- Relevance: A user-defined value (yes or no) which indicates if the CVE is considered relevant or not for the organization. Relevance defaults to "Yes".
By default, the list includes vulnerabilities of all priorities. For practical purposes, especially when using the Attack Surface Map function (see below), you may want to limit CVE priorities to show only critical CVEs, or "critical" and "high". In order to do this you can use the multi selection in the drop-down for the Priority column.
After you have made your selection, click somewhere in the top grey area of the pane to close the drop-down and re-load the list.
Additional detail on a CVE can be obtained by a double click on any list entry, or by entering the CVE ID in the quick search field.
A vulerability profile has the following sections:
- General: CVSS data for the CVE, publication date etc.
- Description: The full textual description of the vulnerability
- Links: Hyperlinks to third party descriptions of the vulnerability
- Recommended remediation: Information on how the vulnerability should be mitigated. This information can come from user input. In the case of CVEs affecting Microsoft products, the appropriate security patches are inserted automatically. Klicking on a patch ID launches the Microsoft Kowledge Base entry for the patch.
- Vulnerable devices: A list of vulnerable devices, along with an indication of whether the vulnerability is already mitigated for the device or not. Unmitigated devices are highlighted in red.
Attack Surface Map
The attack surface map is a 3D visualization of your attack surface, visualizing CVEs in respect to CVSS base score, number of vulnerable devices, and device criticality. It allows an analyst to get a first, visual impression of which CVEs to focus on for risk reduction.
- The size of rectangles represents the number of vulnerable devices.
- The color of rectangles represents CVSS base score.
- Elevation (Z axis) represents compound device criticality (see below).
The map is activated by clicking the "Map" button in the CVE list. You can then zoom, tilt and pan the map by using the mouse. Certainly, tilting the map only makes sense if your data set includes criticality data for devices, as otherwise the map will be flat.
Pointing at a specific rectangle brings up a tooltip that shows some basic information on the vulnerability. Double click to launch the vulnerability profile for comprehensive details.
The Edit CVE dialog
Users -- usually analysts -- can modify and append CVE information by selecting a CVE and clicking the "Edit" button.
- In the "CVE" tab you can specify if the CVE as a whole is relevant for your organization or not. You can also assign a priority different from CVSS severity (which is used as a default). Computations and sorting algorithms in OT-BASE are always based on user assigned priority, not on CVSS severity.
- In the "Links" tab you can check links to third party information, as provided by NIST.
- In the "Recommended Remediation" tab you can specify mitigation procedures that you recommend to mitigate the vulnerability. These mitigations are not limited to applying patches or updating firmware; they may also include the application of network security controls etc. -- For Microsoft products, security patches recommended by the vendor will be listed automatically.
- In the "Files" tab you can attach files to the CVE that users will see in the vulnerability profile, and will also be able to download.
- In the "Affected Devices" tab you will see all devices affected by the vulnerability. You have the opportunity to specify that the vulnerability isn't relevant for specific devices, or that it is already mitigated. For Microsoft products, the mitigation flag will be set automatically if the presence of an appropriate patch is detected.
The Devices list
The devices list lists devices in respect to their vulnerability and cyber risk. It allows you to focus on your most vulnerable devices, rather than on the most severe and widespread vulnerabilities. You can limit the scope of the listing by expanding the scope pane and filtering for specific locations, device groups, networks etc.
By default, the table is sorted by risk score. Risk score is a product of cumulated CVSS scores and device criticality (see below). You can re-sort the table by clicking on any column header.
The different columns have the following meaning:
- Device ID: The device ID of the device.
- Name: The hostname of the device.
- Type: The hardware type of the device.
- Vendor: The hardware vendor of the device.
- Model: The hardware model.
- OS/Firmware: The operating system or firmware version running on the device.
- Description: The description of the device.
- Criticality: The criticality of the device (see below).
- #CVE: Number of CVEs for this device.
- VScore: The vulnerability score for this device, computed as the cumulation of CVSS base scores of the vulnerabilities of this device.
- RScore: The risk score for this device, computed as a product of vulnerability score and criticality index (see below).
Using device criticality qualifications
If your OT infrastructure is not totally atypical, you will never be able to patch all vulnerabilities. This given, a smart strategy is to prioritize mitigation efforts for "critical" devices. What is a critical device? Well, your engineers will most likely be able to tell. Usually, if a device has any of the following characteristics, it is considered critical:
- the device performs a safety function
- the device performs a security function (not limited to cyber security; think about physical security as well)
- the device is critical for business continuity (example: trunk switches/routers that will cause multiple processes to fail if not properly functioning, or automation devices controlling support systems that are required by multiple machines)
- the device assures product quality and, if not functioning properly, could cause compromised products to leave the factory.
There is no standard on how to qualify and assess criticality, so your organization may well have other or additional criticality categories. For this reason, OT-BASE allows you to express criticality as free text.
Note that you don't have to set criticality for every single device; whenever possible you will take advantage of the bulk edit feature. Device criticality can also be set via JSON import and via the REST API.
A criticality qualification in OT-BASE consists of a string value that expresses a cricitality dimension, such as safety, and an optional scalar (numeric) value that can be added following a colon. If no scalar value is provided, a value of 1 is used as a default. It is recommended to use 2 or probably even 3 as a maximum value. Higher values will have a dramatic effect on risk computations.
The "Safety" field for devices is not used for risk computation. It is intended to reflect any safety certifications that a device may have.
You can combine multiple cricitality dimensions where it makes sense. For example, a device that is critical both for a security function and for a business continuity function may be qualified by "SECURITY, BCONTINUITY". Just separate the different dimensions by commas. Scale values will be cumulated.
The vulnerability chart
In the Chart tab you find a chart that shows how vulnerabilities developed over a course of the last six months.
You can limit the scope in the scope selector that expands if you click on "Scope".
Note that usually you won't see dramatic changes because of the large number of vulnerabilities in OT. Expect to see a continuous slight increase in vulnerabilities, as new CVEs emerge constantly, and the number of vulnerabilities introduced by these CVEs usually outpace your patching capability.
Vulnerability analysis using OT-BASE Vantage
Note that there are additional functions available for vulnerability analysis in the OT-BASE Vantage dashboard that is documented elsewhere in this Help Center.