Blog / 4 min read
Industrial organizations in all sectors share the same overarching goal: to reduce cyber risk. However, due to recent advancements in digital transformation, critical infrastructure organizations are finding it increasingly difficult to meet this goal. That’s because the operational technology (OT) devices and systems that underpin these environments have become increasingly connected to the internet — expanding the attack surface for cyber criminals and making them more difficult to secure. As a result, critical infrastructure organizations require industrial risk management strategies and solutions to better protect their cyber-physical systems (CPS) amid these challenging conditions.
Industrial risk management is the process of identifying, assessing, prioritizing, managing, and monitoring risk to an organization's cyber-physical systems (CPS). Industrial organizations typically utilize risk management strategies and solutions to protect their environments from cyber threats. Over the past decade, industrial risk management has become more difficult to obtain as information technology (IT) has become integrated with OT. The convergence of IT and OT systems has allowed organizations to greatly accelerate their digital transformation initiatives; however, it has also brought about its share of risks. The consequences of these risks can lead to cyber threats that may have severe impact to industrial organizations including operational disruptions, physical damage, or more alarmingly, threats to public safety. Although it is impossible to truly eliminate many — if not most — types of risk, implementing industrial risk management strategies and applying risk controls can help organizations reduce the likelihood of risk in their critical environments.
There are several challenges to achieving industrial risk management — one of the most pressing issues is that CPS-specific risk scores generated by standard solutions tend to be highly misleading. This is due to the following reasons:
Visibility Limitations: Every CPS environment is unique and most standard solutions are incompatible with at least some of the proprietary protocols, legacy systems, and other complexities inherent in industrial environments. Without full-spectrum visibility or understanding of the CPS in your environment it is impossible to protect them.
Scope Limitations: Standard solutions don’t account for the full scope of a CPS environments compensating controls and risk factors in their calculations — and these gaps are only exacerbated by the aforementioned visibility limitations. As a result, the risk scores they provide are likely to be too high or too low, flooding security operations teams with issues that are already mitigated.
Flexibility Limitations: Most standard solutions take a “one-size-fits-all” approach to calculating risk, despite the fact that every industrial environment is unique. With the inability to customize how different risk factors are weighted based on what matters most, security teams will find it difficult to quantify their CPS risk posture in the true context of their business.
In order to overcome industrial risk management challenges, it is important for organizations to implement a comprehensive risk-based vulnerability management (RBVM) strategy to better protect their CPS. The following checklist outlines the strategies organizations can utilize to achieve industrial risk management:
1. Gain full-spectrum visibility into your CPS environment
Discovering the assets that comprise your CPS environment should be number one on your checklist to achieving industrial risk management. That’s because it is foundational to all subsequent CPS cyber risk controls. By implementing a CPS security tool with multiple, highly flexible discovery methods, industrial organizations can gain an in-depth understanding of their vulnerabilities and potential attack vectors to focus on their most critical issues first.
2. Implement a granular and flexible risk scoring framework
It is essential for organizations to implement a risk management tool that accounts for an expanded range of factors that can increase risk, as well as compensating controls that offset risk. A granular and flexible framework with these capabilities will allow organizations new to industrial risk management to accurately assess their OT risk posture right away, and accelerate their journey to CPS security maturity.
3. Prioritize vulnerabilities based on their exploitation likelihood
The most efficient way to prioritize vulnerabilities based on their exploitation likelihood is through the Known Exploited Vulnerabilities (KEV) catalog and Exploit Prediction Scoring System (EPSS). By automatically combining these two indicators of risk, organizations can more effectively understand and prioritize the vulnerabilities in their environment that threat actors are most likely to leverage.
As we know, every industrial environment is unique, which means that risk management strategies must be tailored specifically to each critical infrastructure organization's needs. At Claroty, we understand this need. That’s why we’ve developed a Vulnerability and Risk Management (VRM) module to help customers to better understand their CPS risk posture, better allocate their existing resources to improve it, and accelerate their CPS security journey. With VRM, organizations can tackle industrial risk management challenges head-on, and protect their critical CPS environments from growing threats.