We demonstrate the integration of IoTVAS and Qualys Cloud Platform that is a market leading continuous security and compliance monitoring platform for enterprises. This platform is designed to automate auditing and compliance check of IT assets and mobile endpoints. However, accurate asset discovery and risk assessment of purpose built IoT or connected devices such as IP cameras, network connected printers and OT devices, becomes a challenge. In this post, we demonstrate an example of such an issue and use IoTVAS API to write a connector application that accurately discovers devices in the network and pushes detailed device profile and firmware level vulnerabilities into Qualys cloud platform where they can be easily searched and managed.

Scanning an OT and an IoT device with Qualys

The following figures show device detection and vulnerability scan results of a Phoenix Contact AXC F-2152 PLC and an AXIS A1001 physical access control devices. The scan was performed with the latest scanner and signature versions of Qualys virtual appliance.

PLC asset summary page
Figure 1 - PLC asset summary page
PLC vulnerabilities
Figure 2 - PLC vulnerabilities
Physical access control device summary page
Figure 3 - Physical access control device summary page
Physical access control device vulnerabilities
Figure 4 - Physical access control device vulnerabilities

Qualys was not able to determine device manufacturer, model name or device type. The PLC vulnerabilities suggests that it is running outdated software but without knowing the device type, model, manufacturer and current firmware version, it would be difficult for a user to figure out the exact mitigation efforts to remediate these vulnerabilities. Similarly, no such information was available for the building access control device. In the following section, we will use IoTVAS API to identify a detailed profile of each device including manufacturer, model name, firmware version, device type, outdated firmware and device end of life status. Furthermore, IoTVAS will provide known vulnerabilities (CVEs) associated with the device as well as vulnerabilities inside the firmware code of the device.

IoTVAS Connector for Qualys Cloud Platform

IoTVAS API only requires a set of network service responses and banners from the target connected device to identify it and provide detailed device profile, CVEs and firmware level vulnerabilities. We use a NMAP script to collect network services response from the target devices. Once IoTVAS gives us the device profile and vulnerabilities for a given network asset, we create “asset tags” that encode that information such as “Vendor: YYY”, “Model: XXX”, “CVE-XXX” and augment the asset using the Qualys Asset Management (AM) API. The source code of this connector and instructions for installation and running is published here.

IoTVAS and Qualys Integration Results

The following figures show the asset summary pages of the PLC and building access control devices after being probed with the IoTVAS connector. IoTVAS connector has tagged the devices with detailed device profile firmware risk summaries in four categories (network services, kernel, client tools and crypto libraries), associated CVE IDs (for device and 3rd party components inside the device firmware, identified by “FW: “ prefix) as well as the default user account names of the current firmware version.

Detailed profile and vulnerabilities of the PLC device created by IoTVAS
Figure 5 – Detailed profile and vulnerabilities of the PLC device created by IoTVAS
Detailed profile and vulnerabilities of the access control device created by IoTVAS
Figure 6 - Detailed profile and vulnerabilities of the access control device created by IoTVAS

With the help of these tags encoding device manufacturer, model name, firmware version and vulnerabilities, Qualys users can easily build custom dashboards to identify their IoT assets and manage their vulnerabilities. The following figure shows such a dashboard to track high risk IoT devices, devices with outdated firmware versions and discontinued devices. It also enables the user to identify devices with default account names and embedded crypto keys in the firmware, so that they can initiate responses to ensure these credentials are updated after device provisioning.

IoTVAS dashboard inside Qualys Cloud Platform
Figure 7 - IoTVAS dashboard inside Qualys Cloud Platform

In the following video we demonstrate discovery and vulnerability identification of a PLC device with the IoTVAS connector for Qualys:

To get started with IoTVAS API, please register for an API key here. The API documentation page includes a swagger UI that allows you to evaluate IoTVAS endpoints right from your browser without writing any code.