Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
CISO Series: OT Vulnerability Prioritization
By Galina Antova | May 18, 2020
When it comes to administering security patches for security flaws within your operational technology (OT) environment, risk should be your north star guiding all decisions. As I discussed at length in a previous blog, visibility is the foundation of OT vulnerability management, but that’s just the first step.
Once you have pinpointed which common vulnerabilities and exposures (CVEs) are present on which OT assets, you must evaluate the likelihood and potential impact of exploitation for each CVE and set your priorities accordingly. In doing so, however, you will need to overcome some fundamental challenges related to OT vulnerability patch prioritization:
Patching OT Assets is Costly and Disruptive
The costs of administering security patches is particularly high in the realm of OT security, which does not benefit from the wealth of automated patch management solutions available for IT environments. Oftentimes, OT patches must be tested on individual devices—demanding substantial employee hours and system downtime. This severely limits patching capacity in an OT context, so teams must be able to accurately discern which vulnerabilities pose the greatest risk and focus their efforts accordingly. In many cases, patching is simply not an option due to uptime and availability requirements, so compensating technical controls must be put in place as an alternative.
Vulnerability Risk Depends on Situational Factors
The extent to which a particular vulnerability poses risk to an OT environment varies on a case-by-case basis. Unique network characteristics can influence the likelihood and potential impact of a vulnerability being exploited, but assessing these factors is a complex, nuanced, and technically demanding endeavor. As such, many OT security solutions simply define a vulnerability’s risk based on its CVE criticality score, which does not take situational context into account.
The newly enhanced Claroty Platform addresses these challenges with its risk scoring capabilities, assessing the level of risk a particular vulnerability poses with your OT environment based on the unique context and specific circumstances. Risk scoring is complemented by Claroty’s Attack Vector Mapping feature, which identifies and visualizes which vulnerabilities pose the greatest risk to which critical assets. With the latest Claroty Platform 4.1 enhancements, users can now see potential attack vectors ranked by level of risk pose, providing users with a clear sense of their priorities for taking the most effective course of action. Users can also leverage Claroty’s Hygiene Score to assess the security of their OT environment on a holistic level over time, with the ability to discover how vulnerabilities, security controls, threats, and other variables affect their overall posture.