Inside Claroty’s New Vulnerability Prioritization & Risk Management Capabilities for Cyber-Physical Systems

By Grant Geyer

While the objective of every cybersecurity program is to reduce risk, the stakes are higher in asset-intensive organizations where the impact to cyber-physical systems (CPS) can cause real-world impact to national security, economic security, and public safety. One needs to look no further than the numerous ransomware attacks against hospitals, pipelines, and water treatment systems over the past few years to recognize that the risk is real, present, and ominous.

The core of the problem is that the same CPS that provide better patient outcomes (connected medical devices) and business outcomes (digitally-enabled process control networks) were not secured-by-design and are therefore commonly vulnerable to cyber attacks. Making matters worse, the blunt reality is that the security operations teams are utilizing standards and tools that were also not designed for the challenge.

Further empowering critical infrastructure asset-owners and operators with more effective capabilities to overcome such challenges is exactly what motivated our newest enhancements to the Vulnerability & Risk Management (VRM) modules of Claroty’s SaaS-based xDome and Medigate platforms. Here’s an overview of the challenges organizations are facing, and the solutions we’re bringing to market in this launch.

Challenge 1: CISOs are increasingly chartered to govern their organization’s CPS cyber risk posture

According to Fortinet’s 2023 State of Operational Technology and Cybersecurity Report, more than 95% of CISOs in critical infrastructure sectors are or will soon be responsible for securing their CPS environment in addition to the traditional responsibilities of securing the IT environment. The same report noted that nearly all of those CISOs are also expected to quantify their organization’s CPS cyber risk posture in reporting to board members and executive leadership.

Unfortunately, the shortcomings of many cyber risk assessment solutions bring added complexity to these responsibilities. Although many such solutions do provide CPS cyber risk scores, most fall short in accuracy and actionability. To illustrate why, consider that risk is an estimate of the likelihood and impact of an undesirable occurrence. In the context of CPS security, it reflects 1) how likely a CPS is to be compromised, and 2) what the impact of such a compromise might be. Accurately assessing those variables requires:

• Asset Visibility: Traditional risk management platforms aren’t built to provide visibility into what cyber-physical systems exist and their criticality to the business. Without support for the vast array of protocols and collection mechanisms required for discovery, tools will be blind to the assets and their associated risk.

• Risk Factor & Compensating Control Visibility: Each CPS environment has the potential to reduce risk, such that operators can focus on the risks that are unmitigated. Measures such as segmentation, endpoint protection, access control, and other compensating controls can reduce the inherent risk that exists. The ability to leverage automation to collect information on these compensating controls, and leverage them in the calculus of risk is essential to focus on the right exposures. Most solutions don’t fully account for a CPS environment’s compensating controls and risk factors, which is why the risk scores they provide are likely to be too high, flooding security operations teams with issues that are already mitigated.

• A Configurable Risk Framework: Despite the fact that every CPS environment — and every organization’s risk tolerance — is unique, most solutions offer few options to customize how different risk factors are weighted based on what matters to a customer. Despite this obvious statement, it is incredibly common for software vendors to develop a fixed risk calculation that cannot be configured or adjusted for how the enterprise would like to calculate risk. Therefore, most organizations are unable to meaningfully leverage risk-scoring capabilities to improve their CPS risk posture.

Solution: Claroty’s new risk framework helps CISOs optimize their CPS cyber risk posture assessments

Claroty’s newly enhanced VRM capabilities build upon our already industry-leading CPS visibility and discovery capabilities to further empower CISOs and their teams to effectively and efficiently understand and quantify their CPS risk posture by:

Delivering the industry’s most granular and flexible CPS risk scoring framework

Our new risk framework is more accurate than ever because it accounts for an expanded range of factors that can increase risk, as well as compensating controls that can offset risk. These capabilities come preconfigured out-of-the-box; so even customers who are just starting out with CPS security can assess and confidently take steps to improve their CPS risk posture right away.

The framework is also even more flexible and customizable than ever before. Since customers can now further tailor how different factors are weighted in their CPS risk scores, our framework is especially ideal for those who are further along on their CPS security journey, are seeking to more closely align CPS risk calculations with their existing GRC processes, and/or simply prefer greater control of how factors are weighted in their CPS risk assessments.

Challenge 2: Vulnerabilities affecting CPS are increasingly difficult to manage both efficiently and effectively

Further complicating CPS protection efforts is a vast, tough-to-manage landscape of CPS vulnerabilities. Nearly 70% of those disclosed in 2022 received a CVSS v3 severity score of “high” or “critical” — yet, as noted in Claroty Team82’s State of XIoT Security Report: 2H 2022, less than 8% have since been exploited.

Despite that discrepancy, conventional wisdom and standard solutions have continued to recommend prioritizing the remediation of vulnerabilities based solely on their CVSS v3 severity score. Findings from a 2023 third-party study¹, however, validate that that recommendation is neither efficient nor effective. According to the study, CVSS v3-guided prioritization:

• Has an average coverage rate of 82.4%. Coverage is the portion of actively exploited vulnerabilities that are prioritized. This means the average security team using CVSS v3 scores of “high” or “critical” as their remediation threshold will prioritize 82.4% — and overlook 17.6% — of the actively exploited vulnerabilities in their environment.

• Has an average efficiency rate of 3.9%. Efficiency is the portion of all prioritized vulnerabilities that are exploited. This means that out of all the vulnerabilities prioritized by that same security team, less than 4% will be exploited — and nearly 96% of remediation resources will be wasted on those that are never exploited.

Solution: Claroty’s vulnerability prioritization enhancements make it easy to focus on the vulnerabilities that are or most likely will be exploited

Claroty’s newly enhanced VRM solution further empowers CISOs and their teams to effectively and efficiently prioritize vulnerabilities affecting their CPS environments by:

Automatically prioritizing vulnerabilities based on exploitation likelihood

Our VRM offering is now the industry’s first to enrich and assign all vulnerabilities to priority groups based on the latest current and predicted exploitability indicators from the Known Exploited Vulnerabilities (KEV) catalog and Exploit Prediction Scoring System (EPSS). By tracking all vulnerabilities that have been exploited in the wild, the KEV catalog offers invaluable insight into those that are already being weaponized. The EPSS, meanwhile, uses a data science model to estimate which vulnerabilities are likely to be exploited within the next 30 days.

Combining the latest data points from both sources enables us to give customers full visibility into the current and probable near-term state of the vulnerabilities posing the greatest risk to their own environments. As a result, customers can more effectively — and, on average, 11 times more efficiently — prioritize the vulnerabilities threat actors are most likely to leverage.

As shown in the above diagram, this 11x increase in efficiency was determined by contrasting the average EPSS v3 efficiency rate of 45.5% with its CVSS v3 counterpart of 3.9%. It also reinforces how our latest VRM enhancements are further empowering customers to make the best decisions about protecting their most valuable assets.

Further optimizing mitigation guidance based on overall asset risk

CPS within each vulnerability priority group are also enriched by our previously mentioned new risk scoring framework. This functionality includes a risk simulator that empowers customers to understand not only which CPS should be prioritized within each group — but also whether existing controls should be considered, the extent that patching versus compensating controls will impact risk, and additional, deeper guidance that reflects the unique context of each CPS and vulnerability in each environment.

Final Thoughts

As CISOs and their teams continue to face new challenges in managing CPS cyber risk, we are determined to help alleviate their pain points. Our latest VRM enhancements are a testament to this because, above all else, they aim to further empower customers to understand their CPS risk posture, better allocate their existing resources to improve it, and accelerate their CPS security journey — no matter where they are now or where they want to be.

To learn more about this latest release and how Claroty can support your CPS security journey, please check out our VRM solution briefs for xDome or Medigate, read the press release, or simply request a demo.

^{1. Jacobs, Jay, et al., “Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights”, June 2023, https://arxiv.org/pdf/2302.14172.pdf.}