by Cesar Navas
February 21, 2020
As networks converge between Information Technology (IT) and Operational Technology (OT), organizations struggle to view the complete visibility of the network. Using Tenable.ot and Tenable.sc together, a complete picture of a network is visible to risk managers and CISO’s. Tenable.sc is able to connect with Tenable.ot and incorporate risk scores such as Vulnerability Priority Rating (VPR) and Common Vulnerability Scoring System (CVSS) vectors to fully understand risk. As Tenable expands into OT markets, organizations are given the opportunity to perform risk analysis based on OT and IT data in a single unified platform with Tenable.ot and Tenable.sc.
In the Risk Summary chapter, a trend line of Tenable.ot vulnerabilities and a CVSS to VPR Heatmap matrix provides an executive level view of the vulnerabilities related to OT devices. There are also two indicator matrices that show the system counts divided up based on their risk ratings, and criticality ratings. The combination of the risk, criticality, and VPR provides risk managers with a more complete and clearer understanding of the overall IT/OT risk.
The Asset Summary chapter provides a Top Ten summary of assets that have been detected (sorted by device count). The chapter also provides an executive view of system type detected for OT and IT devices, include are the count of each device type and the percentage of total device types detected. Additionally, Tenable.ot provides asset enumeration by Common Platform Enumeration (CPE). This attribute denotes if the vulnerability on the asset is related to hardware, applications, or operating system. The CPE contains manufacturer information. System managers can use this information as a starting point for vulnerability analysis and patch management efforts. There are also four matrices that track when an asset is first discovered on the network and when last seen. These two attributes help asset managers track when new systems are detected and if the system is in current use.
As threats to cloud, IT, and OT are exposed, organizations that practice Cyber Exposure are able to use Tenable.sc to reduce their Cyber Exposure gap. Tenable.ot helps to expand an enterprise’s visibility and merge traditional Vulnerability Management (VM) practices to include IT and OT. Using the advanced reporting capabilities of Tenable.sc, risk managers are able to import data from OT networks into a single VM platform. The OT data can then be reviewed and assessed alongside the IT VM data for a complete picture of cyber risk.
This report contains the following chapters:
Risk Summary: This chapter shows the executive team overall risk in their OT environment. Starting with a trendline which shows the count of vulnerabilities over the past 25 days. and the executive team is able to assess their organization's patching efforts. Following the trendline are a few matrices that quickly lay out the organizations Criticality Rating, Risk Rating, and CVSS to VPR.
Asset Summary: The Asset Summary chapter's purpose is to give the executive team an outlook into their OT assets. The chapter is broken up in order to focus on a few asset related items such as; device type, device discovery dates, and device attribute.