Continental AG

"TISAX is the most important seal of approval for our industry today. Without the robust, risk-based vulnerability management and unified view of our attack surface via the Tenable One Exposure Management Platform, we would hardly be able to meet the ENX requirements and many doors would remain closed to us," says Martin Sturm, CISSP and IT Security Manager.

Strengthening its position as a reliable supply chain partner

Sturm joined Continental in 2023, after the company experienced a serious cyber incident, to coordinate the introduction of company-wide vulnerability management for IT, OT and cloud. "But TISAX is a relatively recent development," he notes. "When we originally made the decision to invest in vulnerability management, the issues of governance and compliance played a relatively subordinate role. The overriding task at the time was to reliably prevent an attack like the one in 2022 from happening again."

The search for a suitable solution started with a comprehensive market analysis. As a first step, the newly formed vulnerability management team at Continental developed a detailed catalog of requirements and compared this with the portfolios of all established VM vendors. The four most promising candidates were then tested in a comprehensive proof of concept. "We set up a demo environment that was closely aligned with our actual IT and app landscape and hid dozens of vulnerabilities in there – from incorrectly configured Kubernetes clusters to unpatched OT systems and service accounts with unnecessarily broad authorizations. We then scanned this environment with each of the four VM solutions to see which performed best," says Sturm.

The rules were as simple as they were objective—the solution that found the most vulnerabilities was to be awarded the contract. Tenable One identified approximately 25 percent more vulnerabilities than the competition, including several critical use cases.

Tenable delivers strategic advantage

After a six-month test phase, Tenable outperformed nearly all competitors in a strong field. Its key advantage was the holistic approach enabled by its unified exposure management platform, Tenable One. The platform consolidated the broad feature set Continental required—spanning vulnerability and attack surface management, cloud and web application security, and OT security—into a consistent, all-in-one solution. The integrated view made it easy to correlate vulnerabilities, eliminate data silos, and reduce risk.

Outstanding detection rate in cloud and OT

Tenable One scored particularly well in the areas of cloud security and OT. The platform scored bonus points in several critical use cases – for example, in detecting misconfigurations in cloud environments, such as Azure PIM and Amazon S3 buckets.

Comprehensive platform provides holistic insights

In spring 2024, the project team set about transferring the Tenable One proof of concept (PoC) installation into live operation. In view of the high level of integration, the platform's wide range of functions and the complexity of the environment, the team opted for a multi-stage approach:

• In Phase 1, a company-wide vulnerability management with Tenable Nessus scanners and company-wide attack surface management were rolled out in Continental's IT environment
• Phase 2 focused on the parallel introduction of Tenable Web App Scanning and Tenable Cloud Security
• Phase 3 saw the rollout of the OT security solution

Phase 1: Vulnerability and attack surface management with Tenable Nessus

As a multinational company that is active in 56 countries and employs 200,000 people, Continental operates over 500,000 dedicated IT systems worldwide. In order to reliably capture and scan these assets, more than 200,000 Tenable Nessus scanners were required – but despite this enormous volume, the rollout went quite smoothly.

"We set up a relatively simple metric. Locations with fewer than 1,000 IT systems are scanned centrally by us," recalls Sturm. "In all larger locations, we set up dedicated scanners because there were usually enough reserves there to manage the scans on-site. In this way, we were able to parallelize many tasks – and covered over 80 percent of the IT systems within a very short time."

10 percent more web assets than suspected

To identify potentially compromised and unknown web assets, the team accompanied the Nessus scans with Tenable Attack Surface Management. The solution analyzed the DNS entries, IP addresses and ASNs in the Continental network to locate all web-facing systems and found ten percent more assets than originally suspected. The identified systems were then inventoried using a wide range of metadata in order to obtain an optimal overview of the IT landscape.

Phase 2: Tenable Cloud Security and Tenable Web App Scanning

The cloud is omnipresent at Continental today especially in its more innovative units, where in-house application development plays a key role. At Continental, as in nearly every software company today, development takes place primarily in the cloud. To ensure the security of data and access in the cloud, the project team integrated Tenable Cloud Security, a comprehensive Cloud-Native Application Protection Platform (CNAPP). The solution connects to all major public cloud providers via open APIs, and continuously identifies – and provides actionable guidance for remediating – risks in hybrid and multi-cloud environments. This allows the team to secure cloud configurations, workloads and identities, while ensuring that development, Infrastructure as Code (IaC) and Kubernetes environments are secure and compliant at all times.

"Tenable Cloud Security helps us cut cloud risks faster and easier—no experts needed. It reveals toxic access, flags anomalies, and gets us closer to least privilege," notes Sturm.

At the same time, Continental integrated Tenable Web App Scanning – a powerful scanner that dynamically scans approximately 2,500 internal and external web applications and APIs in the corporation for potential vulnerabilities, thus paving the way for timely remediation without disruption.

Phase 3: Protecting the OT environment

After completing the first two phases, the team proceeded to the final phase of the project—the rollout of Tenable OT Security—a groundbreaking step in more than one respect. A few selected OT locations had already been integrated during the PoC, and the Tenable Professional Services team provided expert guidance and resources to streamline deployment in Continental’s complex environment.

The actual fleet was much more heterogeneous than the showcase selection. In addition, due to the high prevalence of on-prem systems, only a few tasks could be solved remotely and many steps had to be readjusted on-site where the wide range of operating systems, software versions, protocols and interfaces that characterize industrial environments today proved to be a real challenge.

"We were well aware of the difficulties that awaited us," confirms Sturm. "And most of these hurdles have materialized in one form or another. Nevertheless, the rollout of Tenable OT Security will not only improve our security standing, but also achieve very relevant savings by bringing our entire exposure management program into a modern and consolidated platform."

ISMS based on ISO 27001 sets the stage for NIS-2 and TISAX

When assessing and prioritizing the identified IT, cloud and OT vulnerabilities, Continental adopted a consistently risk-based approach from day one, which is closely aligned with the requirements of ISO 27001. Instead of simply tagging vulnerabilities according to their CVSS rating, the team uses the much more meaningful Vulnerability Priority Ratings (VPR) provided by Tenable, which takes into account the probability of an exploit as well as the severity of the vulnerabilities. The VPR ratings are then validated again with regard to their risk potential, explains Sturm. "If you have the same vulnerability on two notebooks, but one belongs to the CEO and the other to an intern, the criticality is of course much higher in the first case. Although this individual readjustment requires some effort, it enables us to take the business impact of the vulnerabilities into account and to always focus our energy on the most dangerous hotspots."

Executive liability is no longer an issue

This risk-based approach not only contributes to the efficiency of processes and the protection of critical systems, but is also crucial in terms of compliance. Both the TISAX standard mentioned at the beginning and the NIS-2 Directive require those responsible at companies to systematically manage risk and even enforce the personal liability of management in the event of breaches. "There can be no compromises when it comes to complying with legal requirements and relevant industry standards. Compliance is therefore a key issue for us, and Tenable One helps us to meet complex regulations and standards. By implementing this holistic, risk-based platform, we have set the course for seamless monitoring, implementation, and documentation of all relevant requirements", Sturm emphasizes.

Spillover effects on the company's patch culture

To make the most of Tenable’s exposure management platform potential, Sturm's team automatically forwards the vulnerability data, including for cloud vulnerabilities along with actionable recommendations, to the company's asset and patch managers. They then decide for themselves how to deal with the respective risks - in other words, whether to close the vulnerabilities or to accept the risks. Sturm sees the close exchange between the teams as a big plus. "The clear communication of vulnerabilities and business impacts has definitely led to a completely new, much more sensitive patch culture. If the responsible colleagues can see at a glance what danger a vulnerability poses and even receive concrete guidance on how to fix it, it is usually closed promptly."

Robust database for well-founded decisions

In addition, the raw data from Tenable One is also automatically transferred via API to Continental's reporting team, which then distributes the huge volume to decentralized databases and prepares it for the executives. In this way, stakeholders and decision-makers in the company are always kept up to date on the status quo and the successes in vulnerability management – and can make better decisions based on hard facts. "The extensive automation of processes is another major benefit for the team, and frees up the employees to focus on the jobs they were originally hired for – even if we are far from unlocking the full potential," says Sturm.

In December 2024, Continental's Executive Board announced that the Automotive division will be transformed into a dedicated organization by September 2025. This restructuring – which also includes the separation of the shared IT infrastructure of the Automotive, Tires, ContiTech and Vibration Control units into four dedicated environments – brings exciting opportunities to expand the successful implementation of the Tenable One platform.