Assess, Prioritize, Defend: Continuous Security Assessment in OT Environments

Practical Guidance and Insights to Help Organizations Improve OT Security Posture

We don’t have to tell you that in the world of operational technology cybersecurity, where critical infrastructure protection meets the rapidly evolving landscape of digital threats, progress isn’t optional, it’s safety and revenue critical. And by progress, we mean specifically understanding and mitigating threats before they become incidents, by assessing your vulnerabilities and addressing them proactively.

The importance of this progress came through loud and clear to us in a recent conversation with Robert M. Lee, founder and CEO of Dragos and the first advisory board member of Frenos. Rob offered a glimpse into the future. The next decade, he predicted, will see OT cybersecurity move from reactive to proactive.

AI and machine learning will play a pivotal role in automating threat detection, prioritization, and mitigation.

Rob predicts that platforms like Frenos will lead the charge, enabling organizations to make better security decisions faster. Cybersecurity will no longer be a back-office function, but a boardroom priority—a strategic enabler of growth, resilience, and innovation.

“In OT, we’re not just protecting data—we’re protecting lives and livelihoods. That’s a responsibility we can’t afford to take lightly.”

This stated level of importance may make you ask “What kind of tools does my OT team have in their toolbox to be ahead of the cybersecurity threats? How do I get started with Cybersecurity assessments?”

Assess. Prioritize. Defend.

While fairly straightforward, these three actions spell out the key components of any OT security strategy. This represents a continuous process, as security controls (such as firewall policies) and the external threat landscape are constantly evolving, requiring ongoing assessment and reprioritization to maintain effective protection.

Assess Prioritize Defend

In a previous Blog, we discussed integrating your OT Security functions into your corporate Risk Management strategy. Risk assessment and vulnerability assessment may sound like the same thing, but they are VERY different. Uniquely in OT, there will be significant vulnerabilities in the environment but correlated with low risk, and vice versa.

Before you can do anything else, you need to understand the environment in which you are operating. In this blog, we focus on evaluating the vulnerabilities you may have. Let’s look at what the industry considers the best ways to find those vulnerabilities in your OT security platform.

Modern critical infrastructure protection demands a fundamental shift from detect-and-respond to predict-and-prevent. This requires:

  • Continuous attack surface analysis that accounts for constant internal security control and external threat changes
  • Integration of industrial threat intelligence to identify emerging tactics, techniques and procedures before they're weaponized
  • Automated validation of security controls against current threat actor methodologies
  • Real-time analysis of potential attack paths considering both IT and OT network topologies

The Ultimate End Goal: Continuous Security Assessment

Know Your Enemy

In academia, one important area of teaching cybersecurity students is adversarial thinking—an objective that is typically defined as “the ability to think like a hacker.”

In the white paper “Adversarial reasoning: challenges and approaches”, written by Alexander Kott and Michael Ownby of DARPA, adversarial reasoning is defined as computational approaches to inferring and anticipating an enemy's perceptions, intents and actions. It argues that adversarial reasoning transcends the boundaries of game theory and must also leverage such disciplines as cognitive modeling, control theory, AI planning, and others.

Adversarial reasoning powered by artificial intelligence (AI) and machine learning (ML) risk assessment software, has emerged as a crucial approach to stay ahead of evolving threats.

One of the core components of adversarial reasoning in ICS/OT cybersecurity is the simulation of potential attack paths. Attack path simulation involves creating and analyzing hypothetical scenarios where cyber adversaries might exploit vulnerabilities within a network to achieve their objectives. By using AI/ML techniques, we can automate and enhance this process, making it more dynamic and responsive to evolving threats.

Frenos believes in using a combination of generative AI and traditional ML to simulate an adversary's decision-making process. We can predict how adversaries navigate a network to achieve their goals by training models on historical attack data and known vulnerabilities. This simulation allows us to identify and prioritize high-risk attack paths, enabling targeted and efficient risk reduction efforts.

And, this is the fun part - AI-driven attack path simulation can adapt to real-time changes in the network environment. For example, if a new vulnerability is discovered or a system configuration changes, the model can immediately recalculate potential attack paths and update its recommendations. This continuous monitoring and adaptation ensures that security measures remain effective even as the threat landscape evolves.

Know Yourself

While vulnerability scanning primarily identifies potential vulnerabilities by automatically scanning for known issues, penetration testing simulates a real-world attack by actively attempting to exploit those vulnerabilities to assess the effectiveness of security controls.

Automated penetration testing or adversary emulation tools can be integrated with AI/ML-driven attack path simulation to provide a more comprehensive view of potential vulnerabilities. These tools can emulate real-world attacks on ICS/OT networks, testing the effectiveness of controls. AI/ML models can use the data from these tests to refine their simulations and provide more accurate predictions of potential attack paths.

It should be noted that automated penetration and emulation tools are active on the network and should be used cautiously in live ICS/OT networks. And, traditional IT vulnerability scanners can cause operational disruptions in OT environments by overwhelming legacy devices with network traffic or triggering unexpected responses from industrial protocols. An interesting option is the use of the Digital Twin.

“Mirror Worlds”

The first digital twin, although not labeled as such, came about at NASA during the 1960s as a means of modelling the Apollo missions. NASA used simulators to evaluate the failure of Appolo 13's oxygen tanks. The broader idea that became the digital twin concept was anticipated by David Gelernter's 1991 book “Mirror Worlds.”

A cyber digital twin is a virtual representation of a physical system that can be used to simulate, analyze, and predict the system's behavior under various conditions. By creating digital twins of ICS/OT environments, organizations can conduct detailed simulations of attack paths without risking the actual infrastructure. AI/ML models can interact with these digital twins to simulate different attack scenarios, assess the effectiveness of security measures, and identify potential vulnerabilities. This approach allows for safe and comprehensive testing of security strategies in a controlled environment.

Taking Action

While our focus so far has been on the assessment part of your OT Security strategy, we would be remiss not to at least mention what you will do with that assessment data. Not all vulnerabilities require immediate remediation. We suggest you consider these factors when prioritizing:

  1. Potential Impact: The consequences if the vulnerability is exploited (safety risks, operational disruption, environmental damage, etc.)
  2. Exploitability: The ease with which a vulnerability could be exploited, considering required access, skill level, and existing controls
  3. Asset Criticality: The importance of the affected asset to overall operations
  4. Remediation Complexity: The difficulty, cost, and operational impact of implementing fixes

Develop a scoring system that accounts for these factors in your specific industrial context. Standard IT frameworks like CVSS (Common Vulnerability Scoring System) may need adaptation for OT environments to account for safety and reliability concerns, but can be a good place to start.

Continuous Security Assessment

Vulnerability assessment should be an ongoing process, not a one-time event. Here’s a simple “checklist” you can refer to when establishing your assessment strategy:

  • Establish assessment cycles: Regular scheduled assessments (annual, quarterly) supplemented by assessments triggered by significant changes.
  • Monitor vulnerability intelligence: Stay informed about newly discovered vulnerabilities in industrial systems and equipment.
  • Integrate with change management: Ensure security assessments are incorporated into the evaluation of system changes, upgrades, and expansions.
  • Track meaningful metrics: Measure progress through metrics like vulnerability closure rates, mean time to remediate, and risk reduction over time.

Going back to the “Assess, Prioritize, Defend” mantra…. We’ve covered a lot of ground on the steps to assess your vulnerabilities as the first part to being on your way to staying ahead of the attacks. And, a bit of guidance on how you can start to prioritize. After reading this guide, how do you feel your organization rates regarding Vulnerability Assessments in your OT environment? Could you benefit from improved, and continuous Security Assessment as the next step to Defend your OT environment? We invite you to learn more about how the Frenos solution can help.