Using asset management and vulnerability detection functionality, you can implement continuous (cyclical) management of vulnerabilities in industrial network devices. For vulnerability management purposes, Kaspersky Industrial CyberSecurity for Networks provides information on detected vulnerabilities that you can use to take the appropriate measures to remediate vulnerabilities and mitigate risks. The continuity of the vulnerability management process is ensured through automatic updates of information about devices and vulnerabilities in the application.
The scenario for implementing the continuous vulnerability management process consists of the following stages:
This stage is implemented by using the device activity detection and device information detection methods (these methods must be enabled). During this stage, the application automatically detects new devices and updates the device information. For all information that defines the classification and operating specifications of devices (such as information about the device model and software version), you must enable autoupdate in the settings of devices. If autoupdate of this information cannot be completed for some reason, this information should be manually updated.
This stage is implemented by using the vulnerability detection method (this method must be enabled). Scanning is performed based on available device information. A scan is started automatically after the application's database of known vulnerabilities is updated or after the addition/modification of device information that is used for comparison with fields in the database (for example, after information about the device model and software version is saved).
Each detected vulnerability is given a score denoting its severity according to the Common Vulnerability Scoring System (CVSS). Depending on the numerical value of this score, a vulnerability may have a severity of Low (score of 0.0–3.9), Medium (4.0–6.9) or High (7.0–10.0). The severities of detected vulnerabilities affect the security states of their associated devices (just like unresolved events associated with these devices).
You can classify the risks of exploitation of detected vulnerabilities based on their severities and scores, and on other factors related to the operational specifications of the devices. If the risk associated with the exploitation of a vulnerability is assessed as negligible, this vulnerability can be switched from the Active state (the default state of a vulnerability after it is detected) to the Accepted state. For example, this would be advisable if the conditions for vulnerability exploitation cannot be reproduced. All vulnerabilities that require some additional actions should be left in the Active state.
During this stage, you need to eliminate active vulnerabilities or mitigate the risks associated with their exploitation. Actions toward remediating vulnerabilities and mitigating risks may include acquisition, verification, and installation of the necessary patches or updates for devices, organizational measures (such as isolating vulnerable devices from external networks), or replacement of vulnerable devices.
You can obtain information about the recommended actions by viewing information about the detected vulnerabilities. Recommendations for protecting your system are provided in the form of text or links to publicly available resources.
Actions toward remediating vulnerabilities and mitigating risks are performed without the involvement of Kaspersky Industrial CyberSecurity for Networks.
This stage is similar to the stage involving scanning devices for vulnerabilities. When device information is changed, the application automatically switches the device's associated vulnerability from the Active state to the Remediated state if the device information no longer matches the database fields that describe a vulnerability with the same CVE ID (for example, after changing information about the device software version). The Remediated state is also assigned to vulnerabilities that no longer have a description in the database of known vulnerabilities (if the description is deleted from the database after updates are loaded). If devices with vulnerabilities are removed from the device table, their associated vulnerabilities are also deleted from the database of detected vulnerabilities on the Server.
If information about a vulnerability-related device has not changed (for example, risks were mitigated by isolating the vulnerable device from external networks), you can manually switch this vulnerability from the Active state to the Accepted state.
When a vulnerability event is registered, the security state of the device for which a vulnerability was detected changes. The device security state changes depending on the severity level of the event.
The device returns to the OK security state after the Resolved status is assigned to all events that are related to the vulnerabilities of this device. After the vulnerability is switched to the Remediated or Accepted state, the application automatically assigns Resolved status to the corresponding events. Likewise, if you assigned the Resolved status to a vulnerability detection event that is in the Active state, the vulnerability is switched to the Accepted state.