Condor ingests vulnerability intelligence feeds from a number of sources including ICS-CERT and USCERT and creates product specific Alerts based on this information. These Alerts are matched on a daily basis against all client inventories.

CMDB Data
- Condor ingests client CMDB information for Devices comprising hardware, operating system and software components for all types of equipment, including HMI’s, servers, PLC’s, switches and routers. It tracks this information against Device ID’s, Device Names and physical locations so that reporting can pinpoint the exact location of a vulnerability.

Risk Data
– Condor uses the IEC 62443 risk based vulnerability methodology of dividing OT facilities into functional Zones. Each Zone is a group of devices which has associated risk information used to quantify the risk to production associated with each vulnerability.

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability
 management data (CVE’s). It is the most complete catalog of vulnerabilities available. Condor maintains a local copy of the NVD database which is used to determine the attack surface of a clients network by matching the NVD database to client inventory.

Inventory to Alert Matching
The Condor system uses augmented client inventory data and matches this to the Alerts ingested from third party intelligence feeds to detect the location of vulnerabilities within client systems.

Vulnerability Investigation
Sapien’s analysts investigate vulnerabilities present in client systems, to determine how they work and if an exploit exists or has been exploited in the wild.

Risk Analysis
Condor Risk Analysis is an automated process, which takes into account a number of factors, including:

• Whether the vulnerability is exploitable – by matching the connectivity available to the client systems with how the vulnerability works
• Level of risk - whether impacted devices are in the critical systems identified in the risk model and if they are, what are the consequences of a successful exploit
• The severity of the vulnerability – Based on its CVSS score and CVSS Vector

NVD Matching
The Condor system matches CVE’s in the NVD database with augmented client inventory data to determine all vulnerabilities for every component in the client inventory.

Patch & Remediation Identification
Sapien Analysts maintain a current database of patches and remediations for all vulnerable components – these are security related patches only, not functionality related patches as operators will not patch for functionality as part of a vulnerability management program. Remediations are for devices which can’t be patched for operational reasons

Worst Case Vulnerability Determination
In some cases, components (such as earlier Microsoft operating systems) may have dozens if not hundreds of vulnerabilities. Sapien Analysts track and report the worst vulnerability for each component in client’s inventory so that operators can see at a glance how important it is to patch a particular component, regardless of how many vulnerabilities are present for that component.

Break Plan alerts are generated for Sapien Condor clients based on the Risk Analysis and Vulnerability Investigation results. These Alerts include identification of all systems within the client facilities which are affected, an analysis of the nature of a potential exploit and a detailed list of affected devices, their physical locations and the risk of exploitation on a device-by-device basis. Clients can set thresholds on the seriousness of events for which they want a Break Plan alert to be generated. This enables clients to plan rapid and effective responses to critical vulnerabilities

Attack Surface reports are a detailed picture of where all the vulnerabilities exist within a production facility. These reports detail:

• All vulnerable devices on a per-system basis
• what components on each Device are vulnerable.
• The worst case vulnerability (CVSS) score and the CVE for each component
• The recommended patch or mitigation for each component