Operational Technology Hardware Vulnerability Assessment

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Operational Technology Hardware Vulnerability Assessment

    The Operational Technology (OT) Hardware Vulnerability Assessment (HVA) application enables ServiceNow customers to identify and assess firmware vulnerabilities in OT devices within their inventory. It leverages normalized device data—including manufacturer, firmware version, and product model—mapped to the Common Platform Enumeration (CPE) format from the National Vulnerability Database (NVD). This mapping allows HVA to correlate device data with known vulnerabilities (CVEs) to detect at-risk OT devices.

    Show full answer Show less

    HVA supports assessments for devices with fully CPE-mapped normalized content as well as for those without, using a matching score algorithm that compares firmware discovery data against CPE values. Additionally, HVA uses NVD’s version range information to improve vulnerability identification accuracy, even when exact version data is unavailable.

    Key Features

    • Normalized Firmware Discovery: Utilizes normalized OT device data aligned with CPE to match vulnerabilities accurately.
    • Matching Algorithm: Applies a scoring algorithm to evaluate and match unmapped firmware discovery models with potential vulnerabilities, enabling assessments before full normalization.
    • Version Range Assessment: Uses version range data from NVD for precise vulnerability detection when specific version details are missing.
    • Automated and Scheduled Assessments: Supports scheduled full and delta assessment jobs to automatically and periodically evaluate OT device vulnerabilities.
    • Role-Based Access: Provides specific roles—such as snvul.manageexposureassessment and snotvr.vuleventmanager—that control user permissions for managing and viewing vulnerability assessments.
    • Assessment Tabs and Management: Displays vulnerability assessments across multiple tabs—Fully Matched, Partially Matched, Vulnerable Items, Ignored Assessments, and Awaiting Normalization—enabling targeted investigation and remediation actions.
    • Automatic Vulnerable Item Creation: Optionally auto-creates Vulnerable Items (VITs) for fully matched assessments to streamline vulnerability tracking and resolution.
    • Integration with Enterprise Asset Management: Requires enabling Firmware Discovery Model Opt-in to ensure OT device data is normalized and available for assessment.

    Practical Benefits for ServiceNow Customers

    • Identify cybersecurity risks specific to OT hardware by detecting firmware vulnerabilities efficiently.
    • Prioritize remediation efforts by focusing on fully matched high-risk vulnerabilities with precise CVE-device correlation.
    • Monitor and address partially matched vulnerabilities to uncover potential risks from incomplete data.
    • Track devices pending normalization to ensure continuous and comprehensive vulnerability coverage.
    • Leverage automated workflows to maintain up-to-date vulnerability assessments without manual intervention.

    Recommendations

    • Rerun NVD integrations to activate the version range feature for improved vulnerability detection accuracy.
    • Activate and schedule the provided full and delta Hardware Vulnerability Assessment jobs to maintain timely assessments.
    • Assign appropriate roles to users and groups to control access and management capabilities within HVA.
    • Enable Firmware Discovery Model Opt-in in Enterprise Asset Management to ensure OT device data is normalized and available for assessment.

    The Operational Technology (OT) Hardware Vulnerability Assessment (HVA) application enables you to assess the firmware vulnerabilities of the OT devices in inventory and create vulnerable items (VIT) against the impacted OT devices.

    Hardware Vulnerability Assessment overview

    Hardware Vulnerability Assessment uses normalized content for firmware discovery model to perform assessments. The normalized content contains OT device data, such as manufacturer, firmware version, and product model. It's based on the normalization process available in Enterprise Asset Management. The normalized content for OT devices is mapped according to the Common Platform Enumeration (CPE) format provided by the National Vulnerability Database (NVD). An OT device is considered at risk, when the Common Vulnerabilities and Exposures (CVEs) data available in the NVD database, matches the OT device data available in the CPE-mapped normalized content. The Hardware Vulnerability Assessment menu available in the Industrial Workspace displays the OT devices that are at risk.

    HVA can assess firmware discovery models, which don’t have normalized content and they haven’t been CPE-mapped yet. HVA uses a matching score algorithm to compare CPE values with existing firmware discovery values. The matching algorithm searches for CPEs that matches OT devices with the same discovery publisher name, model name, and version. The HVA matching algorithm compares the data from CPEs and unmapped firmware discovery model. Based on the comparison, the matching algorithm evaluates the best possible CPE match for unmapped firmware discovery models. Even though the results may not be fully accurate, it helps in vulnerability assessments until CPE-mapped normalized content is available.

    Also, HVA uses the range information provided by NVD to assess vulnerabilities more accurately. For example:
    • In case there’s a version information unavailable for a CPE, the range information available for a specific OT device publisher and model is used to perform a hardware vulnerability assessment.
    • For versions, a comparison algorithm is used to determine if the input version is in range.
    Important:
    If you’re already using HVA, rerun the NVD Integrations to use the range information feature. For more information, see Run NVD Integrations for Hardware Vulnerability Assessment.
    You must activate and schedule the following scheduled jobs to perform hardware vulnerability assessment automatically and periodically:
    • Hardware Vulnerability Assessment - Full
    • Hardware Vulnerability Assessment - Delta

    Required Operational Technology and Hardware Vulnerability Assessment roles

    You must have the following roles to use the Hardware Vulnerability Assessment (HVA) menu:

    • sn_vul.manage_exposure_assessment: Assign roles to admin users or user groups as needed, which enables them to view or edit properties for HVA.
    • sn_otvr.vul_event_manager (OT Vulnerability Event Manager): Assign roles to HVA users  or user groups as needed, which enables them to view assessment records and act accordingly.

    Use Case

    OT hardware vulnerability analysts can use HVA to:
    • Identify cybersecurity risks in OT devices.
    • Focus on high-risk vulnerabilities via fully matched assessments on OT device data.
    • Set up automatic creation of vulnerable items for fully matched assessments.
    • Investigate and address partially matched assessments to identify potential risks and act accordingly.
    • Monitor unprocessed OT devices from the Awaiting Normalization tab, which are pending full discovery or pending content updates.

    HVA tabs

    The HVA menu displays HVA records created for the OT devices. These assessment records are created based on many criteria. For example, CVE vulnerability, OT device at risk, Common Vulnerability Scoring System (CVSS) score, Confidence Score, and Device Criticality.

    • The Fully matched assessments tab displays the assessment records, where the CVEs fully match with the manufacturer, product model, and firmware version of the OT devices. A fully matched assessment means that an OT device matches all vulnerability factors specified in a CVE.
    • The Partially matched assessments tab displays the assessment records, where the CVEs partially match the firmware version or the manufacturer and model on the OT device. Also, HVA creates partial assessments for normalized discovery models, which don’t have firmware version available. Using the matching algorithm, the version information from the normalized content of OT devices with the same publisher and model​ is used to create an assessment.
    • The Vulnerable Items tab displays the VITs that are created automatically or you create manually based on the assessments.
    • The Ignored assessments tab displays the assessments of the devices that you choose to ignore.
    • The Awaiting Normalization tab displays the OT device data that doesn’t have the normalized data and hasn't been used for assessment.
    Important:
    • If the property to create automatic VIT is enabled, the Fully matched assessments tab doesn’t display any data. You can view this information on the Vulnerable Items tab.
    • Enable the Firmware Discovery Model Opt-in feature in Enterprise Asset Management so that OT devices data are available for normalization. For more information, see Opt-in to Enterprise Asset Management Content Service.

    Additional Resources