1. Home
  2. Industrial Control Systems
  3. RA-5

RA-5: VULNERABILITY SCANNING

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The organization:

    • a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
    • b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
      1. Enumerating platforms, software flaws, and improper configurations;
      2. Formatting checklists and test procedures; and
      3. Measuring vulnerability impact;
    • c. Analyzes vulnerability scan reports and results from security control assessments;
    • d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
    • e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

SUPPLEMENTAL GUIDANCE

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

ICS SUPPLEMENTAL GUIDANCE

Active vulnerability scanning, which introduces network traffic, is used with care on ICS systems to ensure that ICS functions are not adversely impacted by the scanning process. The organization makes a risk-based determination whether to employ active scanning. Passive monitoring /sniffing may be used as part of a compensating control. Example compensating controls include providing a replicated, virtualized, or simulated system to conduct scanning. Production ICS may need to be taken off-line before scanning can be conducted. If ICS are taken off-line for scanning, scans are scheduled to occur during planned ICS outages whenever possible. If vulnerability scanning tools are used on non-ICS networks, extra care is taken to ensure that they do not scan the ICS network. Network scanning is not applicable to non-addressable communications. Vulnerability examination may be performed using other mechanisms than scanning to identify the objects being examined. Host-based vulnerability examination is an example compensating control.

CONTROL ENHANCEMENTS

RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY
  • ICS Control Baselines:
  • Moderate
  • High

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

Supplemental Guidance:

The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.

No ICS Supplemental Guidance.

RELATED CONTROLS: RA-5 (1)

RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED
  • ICS Control Baselines:
  • Moderate
  • High

The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].

Supplemental Guidance: NONE

No ICS Supplemental Guidance.

RELATED CONTROLS: RA-5 (2)

RA-5 (3) VULNERABILITY SCANNING | BREADTH/DEPTH OF COVERAGE

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

Supplemental Guidance: NONE

RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION
  • ISC Control Baseline:
  • High

The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions].

Supplemental Guidance:

Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries.

No ICS Supplemental Guidance.

RELATED CONTROLS: RA-5 (4)

RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS
  • ICS Control Baselines:
  • Moderate
  • High

The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].

Supplemental Guidance:

In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.

No ICS Supplemental Guidance.

RA-5 (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

Supplemental Guidance: NONE

RELATED CONTROLS: RA-5 (6)

RA-5 (7) VULNERABILITY SCANNING | AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS

[Withdrawn: Incorporated into CM-8].

RA-5 (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

Supplemental Guidance: NONE

RELATED CONTROLS: RA-5 (8)

RA-5 (9) VULNERABILITY SCANNING | PENETRATION TESTING AND ANALYSES

[Withdrawn: Incorporated into CA-8].

RA-5 (10) VULNERABILITY SCANNING | CORRELATE SCANNING INFORMATION

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

Supplemental Guidance: NONE

REFERENCES:

  • NIST Special Publication 800-82
  • NIST Special Publication 800-115
  • NIST Special Publication 800-40
  • NIST Special Publication 800-70
  • http://cwe.mitre.org
  • http://nvd.nist.gov