Digital transformation is accelerating across critical infrastructure sectors, creating more cyber-physical connectivity than ever before. This connectivity has drastically expanded the attack surface for cyber criminals looking to exploit potential weaknesses. 

As the cybersecurity landscape continues to evolve and the attack surface expands, critical infrastructure organizations must progress beyond traditional vulnerability management workflows and create a more dynamic and focused approach to managing their overall exposure to risk. In this blog, we will provide a comprehensive guide detailing how industrial, healthcare, and other critical sectors can achieve and maintain strong exposure management amid challenging cyber-physical systems (CPS) security and risk conditions. 

What is Exposure Management?

In cybersecurity, the term exposure refers to the state of being susceptible to potential cyber attacks due to vulnerabilities or weaknesses within an organization's CPS environment. Due to a growing attack surface, critical infrastructure organizations have been left with various points of exposure that an adversary can exploit. These entry points may lead to an attacker gaining unauthorized access, disrupting essential services, or causing various other forms of harm. 

As a result, it is imperative that organizations implement exposure management, which is the proactive cybersecurity approach of identifying, assessing, and addressing potential vulnerabilities and risks before they can be exploited. The ultimate goal of exposure management is to reduce an organization's exposure or attack surface by locating vulnerabilities within their critical environment in order to minimize risk.

Why is Exposure Management Important? 

Exposure management is essential for critical infrastructure organizations to implement because the cybersecurity landscape is incredibly dynamic — with new vulnerabilities and threats emerging daily. A strong exposure management strategy systematically identifies and prioritizes vulnerabilities in order to reduce the likelihood of a security breach. By proactively addressing weaknesses in critical systems, networks, and applications, organizations can reduce the risk of exploitation by threat actors. 

Without exposure management, organizations will find it nearly impossible to maintain a strong cybersecurity posture, protect their critical systems, comply with regulations, and mitigate the potential impact of cyber threats. 

Challenges to Achieving Successful Exposure Management  

As organizations seek to protect their critical assets from cyber threats, they will discover several challenges in creating an actionable exposure management program. Some of the major barriers include: 

1. Asset visibility blind spots: CPS assets typically use proprietary protocols that render them nearly invisible to traditional security tools. With a lack of asset data, organizations will suffer from significant context gaps that hinder prioritization and remediation decisions.  

2. Prioritization challenges: Traditionally, standard solutions and conventional wisdom guide prioritization based on the Common Vulnerability Scoring System (CVSS), not based on exploit likelihood. Utilizing this method alone has caused often-already overburdened personnel responsible for managing OT vulnerabilities to waste resources prioritizing those that are not exploitable or will not ever be exploited.

3. Patch Management Complexity: CPS environments tend to have low or no tolerance for downtime due to the production processes they support. As a result, maintenance windows are a rarity. This leaves systems especially vulnerable to risk as attacks exploiting known exposures could have been prevented. 

4. Use of standard solutions: CPS risk scores generated by standard solutions tend to be highly misleading. This is due to the fact that standard solutions tend to take a rigid, “one-size-fits-all” approach to calculating risk. Although every CPS environment is unique, standard solutions offer few, if any, options for organizations to customize how different risk factors are weighted based on what matters most to them. Making matters more challenging is that if all CPS are treated equally, organizations will be unable to prioritize what processes are most important to their business and what impacts are likely to be severe enough to warrant collaborative remedial effort.

5. Compliance with industry regulations and standards: Complying with various industry regulations and standards adds an additional layer of complexity to exposure management. Adhering to specific requirements that are often-times complex and subject to frequent updates can be a daunting task. Making matters more challenging is the fact that compliance failures may result in legal and regulatory consequences, as well as increased risk to cyber threats.  

5 Considerations for Strong Exposure Management in Cyber-Physical Systems

CPS exposure management is a critical aspect of modern cybersecurity. However, as we’ve discussed above, achieving successful exposure management can be challenging. Combating these issues and successfully implementing exposure management strategies requires a multifaceted approach.

Gartner^® defines Continuous Threat Exposure Management (CTEM) as “a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.”

According to Gartner, “At any stage of maturity, a CTEM cycle must include five steps to be completed: scoping, discovery, prioritization, validation and mobilization. Organizations building a CTEM program use tools to inventory and categorize assets and vulnerabilities, simulate or test attack scenarios and other forms of posture assessment processes and technologies. It is important that a CTEM program has an effective and actionable path for infrastructure teams, system and project owners to take action on findings.”

To get started on applying the benefits of CTEM to CPS, here are some key considerations, that we believe, align to the Gartner CTEM framework: 

1. Scoping: First and foremost, it is paramount that organizations understand the scope of the attack surface. This scope typically exceeds the focus of traditional vulnerability management programs and needs to evolve to encompass all CPS in the environment. To begin, organizations should consider a solution that protects and secures traditionally unmanaged assets outside of IT, such as IoT, OT, and medical devices. This includes prioritizing the most business critical assets and grouping them by process criticality in order to account for operational outcomes when prioritizing security controls. 

2. Discovery: Once scoping is completed, organizations must then begin to discover the CPS assets within their environment and determine their risk profiles. Comprehensive device discovery will allow them to fully understand the attack surface and any exploitable entry points. In an era where new devices and assets are constantly being added to critical environments, the importance of maintaining an up-to-date asset inventory cannot be overstated. According to this Juniper Research Study, they predict that there will be an estimated 83 billion IoT connected devices in critical infrastructure by the end of this year. This statistic emphasizes the growing attack surface for cybercriminals and the immediate need for CPS exposure management.  

3. Prioritization: Once vulnerabilities are identified and blindspots are uncovered, organizations should then prioritize the most important vulnerabilities based on potential impact. Once the attack surface is mapped, this can be done with the use of a standardized formula for calculating device risk. This will enable better decision making for prioritization and also help your organization measure and track risk remediation over time. 

4. Validation: During the validation stage, organizations should validate the ways a potential attacker could exploit an identified exposure, and how monitoring and control systems may react. If an exploit is not published, organizations may need to investigate via other means including software bills of materials (SBOMs) or vulnerability exploitability eXchange (VEX) files. They may even need additional discovery tactics such as active scanning techniques or may need to consult with an original equipment manufacturer (OEM) to validate risk assessments and enable proper remediation techniques. 

5. Mobilization: A final consideration for strong exposure management is to understand what solutions support true mobilization of your CPS cybersecurity program. Full mobilization of a CPS cybersecurity program requires integrations into existing cybersecurity workflows, OEM alliances to support remediation paths onsite, downtime and maintenance considerations, and program recommendations and support to prove the value of the cybersecurity program over time. Without these features, organizations will find it difficult to accurately mobilize their CPS exposure management solution. 

With threat actors escalating in both the scale and sophistication of their attacks it is now more important than ever for organizations of all sizes to add exposure management to their toolbox of security approaches. This proactive approach allows organizations to address potential risks and weaknesses before they can become a serious problem. By understanding the challenges at hand and by implementing the proactive solutions we discussed, organizations can make better-informed business decisions and enhance their resilience against cyber threats. 

¹ Gartner, Implement a Continuous Threat Exposure Management (CTEM) Program, Jeremy D'Hoinne, Pete Shoard, Mitchell Schneider 11 October 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

² Gartner Article, How to Manage Cybersecurity Threats, Not Episodes, Kasey Panetta, August 21, 2023, https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes .