The recent disclosure of 56 vulnerabilities affecting thousands of operational technology (OT) devices from ten major vendors — collectively known as OT:ICEFALL — serves as a potent reminder not only of the risks exacerbated by digital transformation, but also of the escalating challenges facing security practitioners and asset owners. Nonetheless, the notion that these vulnerabilities indicate a lack of progress in OT security over the past decade is misleading.
Rather, the report's finding that many OT devices remain inherently vulnerable or "insecure by design" — despite, in many cases, certifications or other indicators implying the opposite — reinforces why maintaining an up-to-date asset inventory, zero-trust architecture (particularly with respect to segmentation and access controls), continuous monitoring, and effective governance are so crucial. Indeed, such measures are core to the OT:ICEFALL mitigations recommended by the affected vendors as of this writing.
According to Claroty's Biannual ICS Risk & Vulnerability Report: 2H 2021, the total number of ICS vulnerabilities disclosed annually increased by 110% in just three years, from 683 in 2018 to 1,439 in 2021. During the same period, the number of vulnerability disclosures published by ICS vendors' internal research teams increased 76% from 128 to 226.
Vulnerabilities exist regardless of whether or not they are discovered by researchers or exploited by adversaries. The rise in ICS vulnerability disclosures and CVE assignments does not necessarily reflect a worsening or stagnation of effort to enhance the security of OT devices. Rather, these growing numbers closely correlate with increased interest in — and awareness of the critical importance of — strengthening ICS security among both researchers and vendors.
In cybersecurity, compensating controls are measures taken to address any weaknesses of existing controls or to compensate for the inability to meet specific security requirements due to various different constraints. In the instance of a security vulnerability or threat, compensating controls are typically implemented to mitigate or reduce risk. Compensating controls are important in cybersecurity because they help to manage and mitigate risk associated with threats that are not addressed with traditional security controls. By implementing them, organizations can reduce the risk of a cyber incident, and minimize the impact if one does occur. They also help many organizations to meet regulation requirements and comply with industry standards. Many times, organizations are unable to meet these regulations with the current cybersecurity practices and tools they have in place. Another important role compensating controls play is their ability to provide organizations with the flexibility they need to address vulnerabilities or threats that are not addressed by traditional security tools. For example, a critical infrastructure organization may use compensating controls to address risk associated with legacy systems that are not easily updated or replaced.
Prioritization is key to effective vulnerability management in any context, and this is especially true when it comes to OT. Patching industrial devices often comes with the hefty opportunity cost of downtime and other challenges associated with implementing security upgrades across complex environments in which 24/7 uptime and infrequent maintenance windows are the norm.
Another prevalent barrier to applying patches in OT is the fact that the patches themselves may not always be readily or immediately available. This is the current situation with OT:ICEFALL because these particular vulnerabilities are inherent to the firmware and/or protocols of the affected devices.
These and other scenarios in which applying patches in a timely manner — if at all — simply isn't feasible are where compensating controls come in. Proactively implementing (and, as needed, reactively tuning) risk-informed policies in accordance with a zero-trust architecture helps greatly reduce the likelihood and mitigate the risks posed by the exploitation of all manner of known and unknown vulnerabilities in an OT environment.
At Claroty, we understand that there's no all-in-one fix for the ever-present risk posed by vulnerabilities within your OT environment. That's why our best-in-class platform delivers purpose-built capabilities for identifying security flaws, assessing the risk they pose to your organization, informing mitigations, and implementing compensating controls. These capabilities include, but are not limited to:
You can't protect what you can't see, so the first step in securing your ICS environment is to establish granular, real-time visibility into all your assets. Achieving a comprehensive asset inventory requires purpose-built tools capable of overcoming ICS-specific challenges, such as a lack of standardized technology and the use of proprietary protocols.
Just because a vulnerability with a critical CVSS severity score is present in your environment, that doesn't necessarily mean it is accessible or exploitable by (much less of strategic value to) adversaries. Claroty's granular Risk Scoring and Attack Vector Mapping capabilities identify your most at-risk assets by continuously assessing their behavior, location, vulnerability, and other details while simulating the various means through which an attack could be carried out. Armed with this information, you're better equipped to prioritize your prioritization, remediation, and mitigation efforts based on the real risk posed to your unique environment.
Proper ICS network segmentation can make all the difference when it comes to preventing an adversary from moving laterally across a network following initial exploitation. However, physically segmenting cyber-physical systems and other network assets is often a lengthy, costly, and disruptive process. Claroty Virtual Zones bypass these challenges by digitally segmenting ICS networks based on which assets communicate regularly. Users can then create granular rules and policies for each Virtual Zone in alignment with Zero Trust principles.
With the help of a cyber-physical systems (CPS) security vendor, like Claroty, critical infrastructure organizations can ensure they have the robust security controls they need to protect against vulnerabilities — like those found in OT:ICEFALL. By gaining asset visibility, organizations can understand what devices are in their network, how they operate, and can discover known vulnerabilities to apply the proper controls and mitigation actions. Claroty purpose-built solutions also help prioritize risk, so you can focus your remediation efforts accordingly. And, with their segmentation controls, you can restrict internal and external communication paths and isolate or contain vulnerable devices in zones until they can be patched. With Claroty solutions and compensating controls in place, organizations can ensure they have patterned with the right vendor to protect against vulnerabilities.