In recent years, manufacturing, healthcare, and other critical industries have been fueled by rapid digital transformation. As such, organizations in all sectors have since become increasingly reliant on newer types of cyber-physical systems (CPS) and other technologies that both require, and continue to expand, connectivity between information technology (IT) and operational technology (OT).
As these disparate environments converge, they have not only given rise to undeniable business benefits ranging from greater efficiency and sustainability to innovation, but have also dramatically reshaped the vulnerability and risk landscape. This level of connectivity has also made it apparent that traditional vulnerability management strategies and risk reduction workflows are neither practical nor sufficient.
To achieve the necessary balance between reducing this cybersecurity risk and managing the complexity of securing CPS environments, organizations require an evolution from a traditional vulnerability management program to a bolder, more dynamic program. Enter: Exposure Management
Further empowering critical infrastructure asset-owners and operators with more effective capabilities to overcome these challenges is exactly what motivated our newest enhancements to the Exposure Management modules of Claroty xDome. Here’s an overview of the challenges organizations are facing, and the solutions we’re bringing to market in this launch.
Making matters more challenging is the fact that existing vulnerability management, as well as nascent exposure management, programs typically exclude these assets from certain security requirements due to their inability to identify and assess their exposure using existing enterprise solutions.
According to new proprietary data, Claroty found that 38% of the riskiest CPS assets are overlooked by traditional approaches to vulnerability management, highlighting areas that could be exploited by threat actors. Furthermore, the same data revealed that 1.6% of OT and IoMT are defined as “high risk,” have an insecure internet connection and contain at least one Known Exploited Vulnerability (KEV).
Claroty xDome is a purpose-built solution that includes all CPS devices in your exposure management program. Prioritize your most business critical operations with superior asset visibility and management.
The foundation of xDome is CPS Zone Management and superior asset visibility, which allows you to group assets by business outcomes or process criticality. This foundation helps scope your network to both secure areas that may be blindspots for traditional enterprise solutions and account for operational outcomes when prioritizing security controls. Some key CPS features include:
Multi-data collection methods: Claroty xDome uses multi-data collection methods to protect and secure traditionally unmanaged assets outside of IT such as IoT, OT, and medical devices.
Zone-based CPS security: Zones are logical groups of similar assets that communicate with each other under normal circumstances based on their functional, operational, or security.
Existing IT-focused solutions lack the verticalized knowledge and discovery capabilities that are required to properly identify and profile the vulnerabilities and other exposures of CPS within an operational environment. Without visibility into these assets, organizations can experience significant context gaps that hinder prioritization and remediation decisions.
As reported in Claroty’s Global Healthcare Cybersecurity Study 2023, at least 78% of survey respondents experienced a minimum of one cybersecurity incident over the last year. With 30% citing at least one incident that affected cyber-physical systems (CPS), including medical devices and/or building management system (BMS) devices.
Claroty xDome employs multiple discovery methods to identify and profile all CPS on the network, mapping their communication paths and protocol usage, attributing vulnerabilities, and monitoring for threats, resulting in unique risk scores based on the above transparent and uniquely tailored risk framework. These capabilities set the foundation for enabling a continuous exposure management program. Features include:
Vertical-specific asset discovery: Using deep packet inspection (DPI) data collection methods, xDome’s approach to asset discovery is purpose-built to enable granular visibility across all CPS
Vulnerability identification and assessment: xDome utilizing KEV and the exploit prediction scoring system (EPSS) to add additional insight into a vulnerability’s exploitability
Customizable risk framework: Claroty xDome’s risk framework takes into account the likelihood, impact, and compensating controls in measuring and assessing risk based on each organization’s intended risk tolerance.
Existing solutions cannot assess CPS risk in a granular-enough method to identify both remediable exposures from an internal viewpoint as well as actionable attack vectors from a potential attacker's point of view. CPS exposure management prioritization must be built on a foundation that reflects the true on-the-ground reality of an organization’s risk landscape.
According to Claroty’s Team82 State of the XIoT Report, nearly 70% of vulnerabilities disclosed in 2022 received a CVSS v3 severity score of “high” or “critical,” yet less than 8% have been exploited. This discrepancy raises concerns about the conventional wisdom and solutions that recommend prioritizing remediation based on CVSS scores.
Claroty xDome highlights specific attack vectors and assesses them based on their likelihood of being exploited, impact if exploited, and compensating controls that have been applied. Utilizing this information, the solution provides actionable recommendations and enables users to prioritize remediation efforts based on quantified outcomes. Capabilities include:
Exposure scenarios: Claroty xDome supports an exposure scenarios rule builder, extending vulnerability management capabilities to full exposure management from the attacker's point of view.
Industry-specific custom impact: Claroty xDome enables custom impact in order to define any potential impact to a business process to better prioritize remediation based on business outcomes.
Vulnerability Prioritization: Once vulnerabilities and exposures are assessed, xDome prioritizes each determined by impact, exploitability characteristics, relevance state, and remediation information.
Confirming the exploit viability of an exposure requires an intimate understanding of the CPS and network involved and is generally not included in the publication of vulnerabilities or other known exposures. Validating CPS exposures can require close relationships and consultation with Original Equipment Manufacturers (OEMs), referencing Software Bill of Materials (SBOMs) and/or accessing VEX files.
Using EPSS v2 for vulnerability remediation with the same amount of effort enables organizations to be 2.1 times more efficient with a 3.5 times greater coverage for exploitable vulnerabilities.
Managing exposures goes beyond vulnerability management. If an exploit is not published, you may need to investigate via other means such as referring to SBOMS/VEX files, using additional discovery tactics such as active scanning techniques or consulting with OEM to validate risk. Aside from enabling customers to upload their SBOMs and view relevant SBOMs from their peers, Claroty xDome supports VEX files to help eliminate false positives and also employs the following techniques, which highlight our intimate understanding of CPS assets:
Active validation of attack path: Active queries can be used to supplement traditional & passive data collection to quickly and easily gather greater granularity about an asset to determine if a device is truly exposed.
Claroty Edge: Claroty Edge provides an additional data collection method that quickly and efficiently provides additional device context that passive monitoring may overlook.
OEM Alliances: Claroty’s OEM alliances enable you to gain information that is not natively available in the platform in order to properly remediate exposures.
Full mobilization of a CPS cybersecurity program requires integrations into existing cybersecurity workflows, OEM alliances to support remediation paths onsite, downtime and maintenance considerations, and program recommendations and support to prove the value of the cybersecurity program over time.
Further emphasizing this challenge is the fact that more than 95% of CISOs in critical infrastructure sectors are or will soon be responsible for securing not only their organization’s IT environment but also their CPS environment.
Claroty xDome integrates with the industry's leading IT cybersecurity, OT cybersecurity, and asset management solutions to streamline existing risk management processes. xDome also provides automated recommendations and detailed reporting in order to fully mobilize your overall cybersecurity program. Capabilities include:
Recommended actions: Claroty xDome provides device recommendations with various approaches including asset-centric hardening and patching, or network compensating controls.
Reporting: In addition to prioritizing and executing on remediation tactics, Claroty xDome also provides reporting and dashboards to review effectiveness and improvements in security posture.
Technical alliances and integration: Our industry-leading technical alliance program provides our customers with a robust portfolio across cybersecurity and asset management platforms to streamline remediation
As CISOs and their teams continue to face new challenges related to exposure management, they require a solution that is purpose-built for their unique operational and environmental constraints. At Claroty, we are determined to alleviate these pain points. Our exposure management capabilities aim to empower customers further to understand their CPS exposure, better allocate their existing resources to improve it, and accelerate their CPS security cybersecurity programs — no matter where they are in their journey.
To learn more about this latest release and how Claroty xDome can support your CPS security journey, please check out our Exposure Management webpage, read the press release, or simply request a demo.
3 Steps to Protect Federal Laboratories from Cyber Attacks
How Health Delivery Organizations Can Approach Exposure Management
A Comprehensive Guide to Exposure Management for Cyber-Physical Systems