Digital connectivity within Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems has dramatically reshaped the vulnerability and threat landscape. This level of connectivity has made it apparent that traditional vulnerability management strategies and risk reduction workflows are neither practical nor sufficient. As a result, security teams must depart from conventional IT methods and employ comprehensive, environment-aware strategies for identifying, assessing, and contextualizing vulnerabilities.
Vulnerabilities affecting ICS and SCADA systems are increasingly difficult to manage both efficiently and effectively. This is due to the following challenges:
Asset Visibility Blindspots: ICS and SCADA systems many times use proprietary protocols that render them nearly invisible to traditional IT tools. Without visibility into these assets, organizations can experience significant context gaps that hinder prioritization and remediation decisions. Therefore, it is essential to not only have comprehensive discovery details of an asset, but also its system context regarding communications, architecture, and production dependencies.
Vulnerability Prioritization Challenges: Traditionally, organizations have utilized the Common Vulnerability Scoring System (CVSS) as the primary means for assessing risk. CVSS scores are commonly used to calculate the severity of vulnerabilities discovered in one’s environment, and as a factor in prioritization of vulnerability remediation activities. Although this is one of the most-used tools for assessing risk, CVSS is not a measure of risk and therefore can be misused in the way that security teams interpret and apply scores.
According to Claroty’s Team82 State of the XIoT Report, nearly 70% of vulnerabilities disclosed in 2022 received a CVSS v3 severity score of “high” or “critical,” yet less than 8% have been exploited. This discrepancy raises concerns about the conventional wisdom and solutions that recommend prioritizing remediation based on CVSS scores.
Standard Solutions Fall Short: ICS and SCADA systems are uniquely fragile and cannot tolerate the traffic generated by standard vulnerability scanners. If used, they can disrupt operations or disable them completely.
Additionally, the same solutions and guidelines that recommend prioritizing vulnerabilities based on CVSS v3 severity also typically recommend mitigating them through means that are often impossible in ICS/SCADA environments: patching. Patching any vulnerability typically requires downtime, which most OT environments cannot tolerate due to the processes they underpin. Therefore, maintenance windows occur rarely, no matter the vulnerability or risk.
Due to the complexity and challenges we’ve listed above, OT vulnerability management can be difficult to achieve without the proper strategies in place. Critical infrastructure organizations should align with the following best practices to ensure they are prepared to tackle vulnerability management in their unique environments:
Asset Discovery: Without full-spectrum asset visibility, effective ICS and SCADA cybersecurity controls — including vulnerability management — are impossible to implement. Asset discovery details, such as asset type, model, device manufacturer, IP address, and device location are critical in order to effectively prioritize and manage vulnerabilities. Without this information, risk management tools cannot accurately map vulnerabilities or attribute risk factors to specific assets or, going a step further, group assets by criticality and priority. By utilizing an OT security tool with multiple, highly flexible discovery methods organizations can gain full visibility in the manner best suited to their distinct needs.
Vulnerability Identification: Since standard solutions and conventional wisdom guide vulnerability prioritization based on CVSS v3 severity scores — not based on exploit likelihood — it has become commonplace for the often-already overburdened personnel responsible for managing ICS/SCADA vulnerabilities to expend resources prioritizing those that are or will not ever be exploited. To prevent resources from being wasted, organizations should implement a solution that makes it easy to focus on the vulnerabilities that are, or most likely will be, exploited based on the latest current and predicted exploitability indicators.
Vulnerability Prioritization: Next, it is important for organizations to prioritize the most important vulnerabilities in their ICS/SCADA environment based on which ones are (or are most likely to be) actively exploited. An advanced vulnerability management solution will not only provide severity scoring on vulnerabilities, but also take the guesswork out of risk prioritization by grouping both vulnerabilities and their affected devices based on likelihood of exploitability and asset criticality.
Mature and Scale Workflows: As a best practice, it is important to use dedicated OT workflows or existing IT ticketing orchestration, and/or related tools to mature your ICS/SCADA vulnerability management tactics to scalable workflows. With the help of an advanced OT cybersecurity platform, organizations can easily extend existing IT vulnerability management workflows to their OT environment by integrating seamlessly with CMDB, orchestration, ticketing, SIEM, and related sources.
Optimize Risk Posture: In an optimized risk management program, organizations are able to leverage strategic ICS/SCADA insights and risk recommendations to drive proactive mitigations — and, if desired, extend any existing IT endpoint security solutions to compatible devices in OT — to further strengthen their risk posture. To further optimize their risk posture, organizations can measure their risk program against the following factors:
a. They can accurately match exact assets with known CVEs based on vendor, model, and firmware version.
b. They are able to identify and analyze known risks to calculate the most likely scenario an attacker could compromise the network.
c. They can evaluate and score vulnerabilities based on the unique risk they pose to their network.
As digital connectivity grows and new barriers to successful exposure management arise, it is important for organizations to consider the above strategies when building out their exposure management program. They must understand that every CPS environment is unique, and demands a tailored approach. Once this approach is implemented successfully, organizations will be better equipped to understand their risk posture, prioritize the vulnerabilities that matter most, and apply mitigations that are carefully informed, safe, and truly impactful at reducing risk in their CPS environment.
A Comprehensive Guide to Medical Device Vulnerability Management
The Ultimate Guide to OT Vulnerability Management
Explained: The Exploit Prediction Scoring System (EPSS)
Interested in learning about Claroty's Cybersecurity Solutions?