ASM in Industrial Use

As is so often the case, industrial networks pose particular difficulties for the security team; industrial companies are exposed to dangers in two ways, because their potential attack surface includes both information and operating technologies (IT and OT). Increasing automation and networking of machines and systems further increases this attack surface. As OT security specialists such as Kaspersky or Claroty also point out, industrial environments come with one hugely critical flaw: Legacy devices, such as plant control systems, often run on operating systems that are so badly outdated they no longer receive any updates or security patches. These challenges make protecting industrial environments a duel with a fire-breathing dragon.

According to providers such as CrowdStrike, the very first campaign in industrial dragon control has to be a comprehensive inventory of the industrial environment. CrowdStrike refers to this as extended Internet of things (XIoT). The inventory is intended to provide clarity with tests and queries by penetrating deep into industrial control system (ICS) subnets and identifying and fingerprinting all XIoT devices regardless of their protocols. To do so, it determines device information such as type, manufacturer, location, location name, class, level in the Purdue reference model, protocol, operating system, and so on. According to CrowdStrike, this scan is the only way to ensure essential in-depth insights into the attack surface and potential damage in the event of an attack.

That said, many experts warn that, although it is essential to inventory the IT and OT inventory, it will often not be possible to register all assets fully. The logical consequence is that an industrial company's security team needs to build skills to keep up with cybercriminal weapons. Ultimately, it is about being able to find out just as quickly as the attackers in the IT and OT areas where the company has vulnerabilities and what they are – and to react quickly.

This reaction is proving extremely difficult in the industry, and not just because of the stubborn old devices mentioned. Patching current systems is also a major challenge, except in plain vanilla IT environments. Security in the OT context traditionally means operational reliability (i.e., the system running with as few interruptions as possible), which is why OT experts emphasize the key role of risk-based vulnerability management. According to Claroty, in industry, the goal is not about shutting down every known vulnerability, but rather about checking how likely it is that attackers will exploit the vulnerabilities in your systems. From these findings, targeted remedial action or, if this is not possible, at least establishing control mechanisms to mitigate the risk is essential.

According to Cirosec boss Strobel, however, ASM is only of limited use in an industrial context, because ASM generally only looks at externally accessible components. In OT environments, however, often nothing can be seen from the outside. Digital twins, cloud connections, interfaces, or remote maintenance access are increasingly being set up in the scope of Industry 4.0, and an ASM system would, one hopes, find them. According to Strobel, however, these problems are peripheral, saying the core problem usually lies in the company's internal OT or IT network.

To minimize attack surfaces in the industrial environment, security experts always give the same advice: Network segmentation, ideally along business processes, is the ideal solution and the only alternative if a system can no longer be patched. According to the experts, industrial companies need to supplement this segmentation with protective measures wherever possible, including intrusion detection and prevention systems, firewalls, and antivirus software for OT environments. No less important is regular – or preferably continuous – monitoring and analysis of network activities.

Finally, experts repeatedly point to those attack surfaces that stem from human vulnerability. In the industrial sector in particular, for example, operating personnel like to share passwords for a plant control system within the team – a nightmare for any security officer. An industrial company that consistently implements the basics of cyber hygiene can significantly reduce the number of vulnerable points.

AI Support for ASM

As is the case almost everywhere in the security industry, various manufacturers now laud the benefits of AI when it comes to ASM, which does not usually refer to large language models (LLMs) and the currently hotly debated generative AI, but rather to self-learning statistical analyses (machine learning, ML). CrowdStrike, which has been working with AI since 2011, introduced in 2021 ExPRT.AI, an AI-supported assessment system to better prioritize threat defense. The ExPRT.AI rating is dynamically adjusted on the basis of the current exploit status and threat data.

In good news, according to experts such as Sergej Epp from Palo Alto Networks, ML support works much better in industrial networks than in IT because OT has relatively static communication patterns. If an ML-supported security system monitors the OT network over a training period of two or three days, says Epp, it knows which control device belongs to which protocol and which system. The tool can then automatically recommend to the firewall that only one protocol should be allowed in this segment to minimize the scope of an attack.

According to security experts, LLMs can also be beneficial for remedial measures, because they can summarize large volumes of information from a wide variety of sources. This ability of language models to provide comprehensive context-related advice could, for example, help speed up remediation tasks in the future.

The Limits of ASM

The KuppingerCole report stated that, as a discipline, ASM takes the attackers' point of view. In fact, some vendors describe their ASM services as continuous red teaming. However, according to cirosec boss Strobel, these statements are not entirely accurate and points out that you have to put it into perspective because an advanced persistent threat (APT) group also takes a close look at a company's employees or uses spear phishing, which is outside the scope of ASM.

In particular, Strobel vehemently disagrees with the claim that ASM allows quasi-automated red teaming, which he says is something completely different. Rather, it is a project that takes months of work, including spear phishing, social engineering, physical hardware that is connected to the power socket in the company, proprietary malware for the backdoor, and so on. He emphasized that this process cannot be automated and that anyone who makes this argument is misusing the term "red teaming." Additionally, red teaming is about testing the blue team's (i.e., the defenders') ability to react, which is a completely different goal from ASM. Despite such marketing exaggerations, Strobel believes that ASM can still be useful, especially for larger companies with subsidiaries and foreign locations that lack an overview of their IT environment.