Hardware Vulnerability Assessment

  • Release version: Xanadu
  • Updated December 18, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hardware Vulnerability Assessment

    The Hardware Vulnerability Assessment (HVA) is a feature available in the Industrial Workspace for users of the Operational Technology Vulnerability Response Pro. It enables ServiceNow customers to assess firmware vulnerabilities in operational technology (OT) devices within their inventory. HVA leverages normalized OT device data—such as manufacturer, firmware version, and product model—aligned with Common Platform Enumeration (CPE) from the National Vulnerability Database (NVD) to identify vulnerabilities through Common Vulnerabilities and Exposures (CVEs).

    Show full answer Show less

    By comparing normalized OT device content with CVE data, HVA identifies devices at risk and supports the creation of Vulnerable Items (VIT) records for impacted devices. Scheduled jobs (Full and Delta assessments) automate the vulnerability assessment process, ensuring regular and up-to-date evaluations.

    Roles and Permissions

    To utilize HVA, users must be assigned specific roles:

    • snvul.manageexposureassessment: Grants permission to view and edit HVA properties, typically assigned to administrators or user groups.
    • snotvr.vuleventmanager (OT Vulnerability Event Manager): Assigned to Hardware Vulnerability Analysts or relevant user groups, enabling them to view and manage assessment records.

    Use Cases

    • Identify and prioritize cybersecurity risks in OT devices based on fully matched vulnerability assessments.
    • Automatically create Vulnerable Items from fully matched assessments to streamline remediation efforts.
    • Investigate partially matched assessments for potential risk identification and mitigation.
    • Monitor OT devices pending normalization to ensure comprehensive vulnerability coverage.

    HVA Interface and Tabs

    The HVA menu organizes assessment data into several tabs to facilitate vulnerability management:

    • Fully Matched Assessments: Lists devices whose manufacturer, product model, and firmware version fully correspond to CVE data, indicating confirmed vulnerabilities.
    • Partially Matched Assessments: Shows devices matching manufacturer and model but with uncertain firmware version matches, highlighting potential risks.
    • Vulnerable Items: Displays VITs created automatically or manually, representing actionable vulnerability records.
    • Ignored Assessments: Contains assessments for devices deliberately excluded from analysis.
    • Awaiting Normalization: Lists OT devices lacking normalized data, thus pending inclusion in vulnerability assessments.

    Note: Enabling automatic VIT creation moves fully matched data from the Fully Matched Assessments tab to the Vulnerable Items tab, enhancing visibility of actionable vulnerabilities.

    Additional Configuration

    • Enable the opt-in feature in Enterprise Asset Management to allow OT devices to be available for normalization, which is essential for accurate vulnerability assessments.
    • Configure automatic deletion of obsolete assessment records by activating the relevant data management policy (snvulanalystfirmwarevulnerabilityassessment) to maintain system hygiene.

    Practical Benefits

    ServiceNow customers using HVA can automate the identification and management of firmware vulnerabilities in their OT devices, prioritize remediation efforts based on risk, and maintain up-to-date vulnerability data through normalization and scheduled assessments. This capability supports proactive security management and operational resilience in industrial environments.

    The Hardware Vulnerability Assessment (HVA) is available in the Industrial Workspace menu for users who are using the Operational Technology Vulnerability Response Pro.

    Hardware Vulnerability Assessment overview

    You can use Hardware Vulnerability Assessment to assess the firmware vulnerabilities of the OT devices in inventory and create vulnerable items (VIT) against the impacted OT devices.

    HVA uses normalized content for firmware discovery model and Common Platform Enumeration (CPE) format provided by the National Vulnerability Database (NVD) to perform assessments. The normalized content contains OT device data, such as manufacturer, firmware version, and product model. It's based on the normalization process available in the Enterprise Asset Management. The normalized content for OT devices is mapped with the Common Vulnerabilities and Exposures (CVEs) available in NVD. The Hardware Vulnerability Assessment menu displays the OT devices that are at risk, when the CVE data matches the OT device data available in the normalized content.

    You must perform the following scheduled jobs to perform hardware vulnerability assessment automatically and periodically:
    • Hardware Vulnerability Assessment - Full
    • Hardware Vulnerability Assessment - Delta

    Required Operational Technology and Hardware Vulnerability Assessment roles

    You need the following roles to use the Hardware Vulnerability Assessment (HVA) menu:

    • sn_vul.manage_exposure_assessment: Assign roles to admin users or user groups as needed, which enables them to view or edit properties for Hardware Vulnerability Assessment.
    • sn_otvr.vul_event_manager (OT Vulnerability Event Manager): Assign roles to Hardware Vulnerability Analyst users  or user groups as needed, which enables them to view assessment records and act accordingly.

    Use Case

    OT hardware vulnerability analysts can use HVA to:
    • Identify cybersecurity risks in OT devices.
    • Focus on high-risk vulnerabilities via fully match assessments on OT device data.
    • Set up automatic creation of vulnerable items for fully matched assessments.
    • Investigate and address partially matched assessments to identify potential risks and act accordingly.
    • Monitor unprocessed OT devices from Awaiting Normalization tab, which are pending full discovery or pending content updates.

    HVA tabs

    The HVA menu displays hardware vulnerability assessment records created for the OT devices. These assessment records are created based on many criteria. For example, CVE vulnerability, OT device at risk, Common Vulnerability Scoring System (CVSS) score, and Device Criticality.

    • The Fully matched assessments tab displays the assessment records, where the CVEs fully match with the manufacturer, product model, and firmware version of the OT devices. A fully matched assessment means that an OT device matches all vulnerability factors specified in a CVE.
    • The Partially matched assessments tab displays the assessment records, where the CVEs partially match the manufacturer and model on the OT device but the firmware version match is undetermined.
    • The Vulnerable Items tab displays the VITs that are created automatically or you create manually based on the assessments.
    • The Ignored assessments tab displays the assessments of the devices that you choose to ignore.
    • The Awaiting Normalization tab displays the OT device data that doesn’t have the normalized data and hasn't been used for assessment.
    Important:
    • If the property to create automatic VIT is enabled, the Fully matched assessments tab doesn’t display any data. You can view this information in the Vulnerable Items tab.
    • Enable Opt-in feature in Enterprise Asset Management to allow OT devices be available for normalization. For more information, see Opt-in to Enterprise Asset Management Content Service.

    Delete obsolete assessments

    You can also set up automatic deletion of obsolete assessment records.

    1. Navigate to All > System Data Management > Data Management Policies.
    2. Search and select the sn_vul_analyst_firmware_vulnerability_assessment policy.
    3. Select the Active check box.
    4. Select Update.