OT asset operators struggle with mitigating vulnerabilities for many reasons—some of which may be more obvious than others, such as availability demands for critical services. But sometimes, more subtle challenges get in the way of addressing critical security flaws, such as the often very manual process of gathering remediation and mitigation information about individual CVEs.
Vendor advisories and third-party alerts from the National Vulnerability Database (NVD), for example, may not contain enough remediation information to satisfy all use cases, such as when organizations cannot apply a software patch immediately or update firmware to address a vulnerability. In those instances, they must rely on mitigations as stopgaps, and that information often isn't easily usable. Alerts and advisories aren't always machine-readable or published in standardized formats.
In this episode of the Nexus podcast, Kylie McClanahan, a doctoral student at the University of Arkansas and senior developer at Bastazo Inc., joins to discuss research she's conducted—primarily within the electric sector—that helps automate this process for users. Using a mix of keyword-based techniques, machine learning, and natural language processing, she's been involved in developing tools and systems that will scrape available sources of information and present it in a machine-readable format with remarkable accuracy and usability.
Right now, however, for most users, the process is manual—and untenable. The process includes a list of devices and URLs of websites where vulnerability and patch information is published. Vendor product portals are also part of this process, and it's often up to the user to determine whether advisories have been released that impact their products and what versions and configurations are affected.
"This is before you get into testing and installation, which by all accounts are the most fraught parts of this process," McClanahan said. "When we talk about how much time this is taking, a lot of teams I've spoken to would split up the process, one person would do discovery—is available—another would assess whether this is applicable to us. With one of the teams I talked to, just the discovery was taking two full days out of the month, just to click on URLs and go to the page."
In order to be compliant with NERC CIP standards in the electric space, users must also prove they've done their due diligence in seeking out patching data; McClanahan said many take screenshots of the pages they visit and archive them for this purpose.
"I don't want to imply that we shouldn't provide evidence for patching processes, but these people, in many cases, have spent years or decades in an OT environment. These operators have a honed sense about the devices they work with. I think it's a bit of a waste to be spending two days out of every month taking screenshots of every page," she said.
Listen to this episode and learn more about McClanahan and her colleagues' research on automating patching, information gathering, and mapping Common Platform Enumerators (CPEs) published within vulnerability databases to existing software and hardware inventory. Again, this is largely another manual process, but McClanahan helped develop a recommender system that automatically identifies a set of CPEs for software names that improves vulnerability identification and alerting.
This recommender system uses a mix of natural language processing, fuzzy matching, and machine learning to achieve this and reduce the manual labor involved currently in product vulnerability matching.
Both papers referenced in this podcast can be downloaded here.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
