Operational technology (OT) assets exist on multiple levels throughout the network, perform vastly different tasks, and require varying levels of human interaction. The security challenges that a disparate network of OT assets can create are compounded by the fact that many such assets utilize proprietary protocols that make them incompatible with traditional security tools and therefore difficult to identify and monitor. Understanding the barriers to OT visibility is the first step to overcoming this challenge.
As visibility into the network grows, so does the number of potential system alerts. Once assets are identified and information about them is gathered, determining which assets pose the highest risk to your network is a critical next step in securing that network. Claroty Continuous Threat Detection (CTD) uses a granular mechanism to score risk for each asset on the network. This self-learning algorithm enables users to identify and further understand the nature of an asset's risk in order to better prioritize and remediate related alerts and vulnerabilities. But first, it is important to understand the basis of asset risk scoring.
Cyber risk reflects the likelihood and potential impact of an undesirable cyber occurrence, such as a cyber attack or other cybersecurity incident. In order to predict cyber risk, organizations typically utilize an asset-based risk assessment to inform decision-making and guide the development of a risk-based vulnerability management plan. A granular and flexible risk scoring framework should account for an expanded range of factors that increase risk, as well as compensating controls that can offset risk. It should also help to more closely align cyber-physical systems (CPS) risk calculations with existing governance, risk, and compliance (GRC) processes. Having a CPS risk scoring framework with these capabilities will allow organizations to effectively and efficiently assess their posture, and give them the ability to improve their CPS security right away.
Within CTD, five parameters are scored individually to arrive at each asset's overall risk score: vulnerability, criticality, accessibility, infection, and threat. These parameters are categorized as low, medium, or high risk for each asset based on the following criteria:
Vulnerability: CTD matches every asset to the latest common vulnerabilities and exposures (CVE) data from the National Vulnerability Database and determines the vulnerability level based on the overall number of CVEs within the asset as well as their corresponding common vulnerability scoring system (CVSS) scores. This parameter is also shaped by the protocols in use by the asset and how secure they are.
Criticality: The criticality parameter, which is based on each asset's functional qualities and network privileges, reflects how important the asset is to the overall network and how much damage could be inflicted were it to be compromised.
Accessibility: The accessibility parameter is based on an asset's network location (i.e. its subnet), its communication with risky assets and/or zones, and the asset's own network behavior (i.e., how many open ports it contains).
Infection: The infection parameter indicates the extent of an asset's ability to spread malicious content to other assets and is based on the asset's policies, baseline behaviors, privileges, and protocols.
Threat: The threat parameter indicates whether the asset is already considered a threat and is based on open alerts. It also reflects asset insights that potentially indicate suspicious behavior, such as talking with external or ghost assets.
The image below provides an example of what this looks like within Claroty CTD. This particular asset has a high risk score, with each of the five parameters providing context into why they are scored a certain way. A graphical representation of this information is also provided to help users prioritize remediation efforts. For example:
The high vulnerability score is largely due to the large number of unpatched CVEs. CTD Insights provides the user with information on how to rectify this.
The asset's infection score indicates that it has high proximity to communications between important zones. Network administrators can utilize this information to prioritize the upkeep and monitoring of these zones to ensure they are protected against anomalous behavior.
Image 1: Claroty CTD asset risk score details.
The asset risk score is critical beyond providing important information about a specific asset. To understand that, let's take a look at the overall structure of The Claroty Platform's risk scoring. Claroty's network risk scoring comprises multiple layers, in ascending order: assets, virtual zones, and site. Each layer's risk score is influenced by its own parameters as well as the overall score of the layers below it. For example, a virtual zone's risk score is influenced by its own metrics as well as the risks associated with the assets in that zone.
Image 2: Hierarchy of Claroty risk assessment.
These three layers are interdependent and are calculated dynamically to ensure the most up-to-date score is available. When multiple sites are present, a consolidated risk score is calculated within Claroty Enterprise Management Console (EMC), Claroty's centralized management platform. A site's overall hygiene score acts as a barometer of an OT network's security posture. Understanding the risk environment, down to the individual asset, is an essential step in preventing attacks on the network.
Anticipating cyber incidents is complex — that's because organizations are challenged when it comes to how to predict exploitability and which factors to assess. At Claroty, we understand that measuring the severity of any vulnerability can be a difficult task. That’s why Claroty CTD provides a contextualized root-cause analysis and risk-based scoring for all alerts. By automatically comparing each asset in an OT environment to an extensive database of insecure protocols, CVEs, configurations, substandard security practices, and other vulnerabilities tracked by Claroty’s award-winning Team82 researchers, users can identify, prioritize, and remediate vulnerabilities in industrial networks more effectively.
Interested in learning about Claroty's Cybersecurity Solutions?