Cyber attacks on operational technology (OT) systems have been amplified in recent years due to a rapidly expanding attack surface, geopolitical conflict, and increased availability of powerful ransomware tools. As the OT devices and systems that underpin critical operations become more connected than ever before, critical infrastructure organizations are left wondering how they can accurately assess OT cyber risk. By implementing a comprehensive and proactive exposure management strategy, organizations can ensure they have the tools to properly assess their OT risk posture and effectively prioritize the most pressing vulnerabilities in their environment. Throughout this blog, we will break down the meaning of OT cyber risk, determine how to understand it in the context of your unique environment, and assess the top exposure management strategies to safeguard your OT systems against evolving cyber threats.
At its core, risk is a measure of the likelihood and potential impact of an undesirable occurrence. This simple definition is not specific to cyber-physical systems (CPS), cybersecurity, or anything else; it holds constant no matter the circumstances and can easily be demonstrated via the following equation: Risk = Likelihood x Impact. This equation is not intended to be interpreted in a mathematically literal sense, but it does highlight a mathematically accurate truth: If just one of the equation’s variables were to be eliminated (i.e. assigned a value of zero), then the risk in question would also be eliminated. Although it is nearly impossible to truly eliminate many — if not most — types of risk, the basic principles of risk management shed light on how to reduce it: apply OT risk controls — which we will discuss in depth later in this blog.
In OT, cyber risk has been amplified more recently due to the rapid convergence of IT and OT. Traditionally, IT and OT environments were designed to operate independently with no connectivity between one another, and be managed by separate security teams. As OT systems have become increasingly connected to IT networks and the Internet however, they have created unalterable risk factors. And, consequences of these risk factors can lead to cyber threats that may have severe impact including physical damage, operational disruptions, environmental incidents, or even threats to public safety. That’s why it is paramount for critical infrastructure organizations to prioritize OT cyber risk management.
Unfortunately, the same CPS that provide organizations with better decision making, lower risks, enhanced patient outcomes, and lower overall costs were not designed with security in mind, and therefore are commonly vulnerable to cyber attacks. Without the proper strategies and solutions to overcome these challenges, organizations are faced with heightened OT cyber risk in the form of:
Every CPS environment has various risk factors and controls that contribute to its cyber risk posture — and, should be considered and quantified by a CPS cyber risk scoring mechanism. One major risk factor includes unauthorized remote access. OT remote users pose risk with the potential to make unauthorized changes that pose risks to operations. These risks are compounded by using traditional remote access tools that give cybersecurity staff poor visibility into users’ activities and do not enable such staff to implement role-and policy-based access controls for users. Without robust OT-specific protections, including risk scoring mechanisms in place, enormous risk can be introduced into the environment.
Oil & gas companies, manufacturing organizations, food & beverage producers, and pharmaceutical companies are among many victims of more-recent ransomware attacks that led to lengthy shutdowns with unprecedented financial losses, supply chain disruptions, and damage to essential services that underpin our society. As cyber threat actors are increasingly exploiting the inherent vulnerabilities within these critical infrastructure organizations, a comprehensive understanding of your OT environment is required to accurately assess risk, identify any vulnerabilities present in your environment, and to prioritize security measures accordingly.
Legacy devices and systems have contributed to increased cyber risk due to their outdated software and hardware which leaves them exposed to known vulnerabilities. This is also often why they tend to lack security updates and patches, leaving them more susceptible to exploits that can allow attackers to gain unauthorized access. Without a risk-scoring mechanism that reflects the broad range of risk factors and controls in your CPS environment, managing legacy devices, patching and routine maintenance of assets, and integrating cybersecurity practices into asset usage will be next to impossible without impacting operations.
Many organizations understand how severe cyber attacks on their OT systems can be, however, they tend to have a difficult time prioritizing OT cyber risk to most effectively combat the most dangerous threats in their environment. This is largely due to the fact that organizations are evaluating CPS specific risk scores generated by standard solutions, leaving them ill equipped to prioritize the vulnerabilities in their environment that matter the most. CPS-specific risk scores from standard solutions tend to be misleading due to the following reasons:
Visibility Limitations: Since most standard solutions are incompatible with some of the proprietary protocols, legacy systems, and /or distinct complexities inherent in critical infrastructure environments, they cannot deliver the caliber of visibility required to accurately assess risk within them.
Scope Limitations: Standard solutions don’t account for the full scope of CPS environment’s compensating controls and risk factors in their calculations — and, these gaps are only exacerbated by the visibility limitations mentioned above. As a result, the risk scores provided tend to be too high or too low.
Flexibility Limitations: Most standard solutions take a rigid “one-size-fits-all” approach to calculating risk. Although each CPS environment is unique, standard solutions rarely offer, if any, options for customers to customize how different risk factors are weighted based on what matters most to them. As a result, organizations are simply unable to quantify their CPS risk posture in the true context of their business.
Unless organizations have the right strategies and technology in place to identify risk and assess its implications in the context of their unique environment, they will be left with an ill-informed OT cybers risk management strategy. Thankfully, with risk-based vulnerability management (RBVM) strategies and the right tool in place to optimize risk posture assessments, organizations can effectively and efficiently understand and quantify their CPS risk posture.
Having an effective OT security risk management strategy begins with successfully identifying, assessing, and mitigating potential risks and vulnerabilities that can impact business objectives and operations. Although a comprehensive risk management framework should be tailored to the specific needs and objectives of your organization, these are some of the top strategies to get you started on your journey:
A comprehensive inventory of all OT, IoT, IIoT, and BMS assets — and all other CPS — that underpin your OT environment is the foundation of effective vulnerability and risk management. However, gaining this visibility is one of the most important yet challenging tasks facing security and risk leaders today. This is why it is important to implement a CPS security tool with multiple, highly flexible discovery methods that can be mixed and matched to deliver full visibility in the manner best suited to your organizations distinct needs. This caliber of asset visibility will provide organizations with an in-depth understanding of their organization’s vulnerabilities and potential attack vectors — enabling them to focus on their most critical issues first.
Despite the fact that every CPS environment is unique, most solutions offer few options to customize how different risk factors are weighted based on what matters to a customer. The majority of cybersecurity software vendors develop a fixed risk calculation that cannot be configured or adjusted for how the enterprise would like to calculate risk. Therefore, it is important to implement a risk management tool that accounts for an expanded range of factors that can increase risk, as well as compensating controls that can offset risk. This will allow organizations just starting out with CPS security to accurately assess their OT risk posture right away and will enable them to accelerate their journey to CPS security maturity.
Standard solutions and conventional wisdom tend to guide vulnerability prioritization based on the Common Vulnerability Scoring System (CVSS), rather than based on exploitation likelihood. This method of vulnerability prioritization has led many organizations’ often-already overburdened personnel to expend resources prioritizing vulnerabilities that are or will not ever be exploited. To combat this challenge, organizations should implement a tool that can automatically enrich and assign vulnerabilities to priority groups based on the latest current and predicted exploitability indicators from the Known Exploited Vulnerabilities (KEV) catalog and Exploit Prediction Scoring System (EPSS). As a result, organizations can more efficiently, effectively, and easily understand and prioritize the vulnerabilities that matter most based on which are most likely to be weaponized.
Organizations will continue to face challenges in managing OT cyber risk as they adapt to changing business environments and emerging threats — and as they contend with the inherent OT vulnerabilities present in their environments. That’s why it is key to implement OT security risk management strategies and solutions to mitigate the potential risks and uncertainties in their critical infrastructure environments. With capabilities such as those in Claroty’s new Exposure Management solutions and Vulnerability and Risk Management (VRM) module, organizations can better understand their CPS risk posture, better allocate their resources to improve it, and accelerate their CPS security journey. At Claroty, we understand that every CPS environment is unique, meaning that risk and vulnerability management strategies need to be tailored specifically to each organization’s needs. VRM does just that, by helping our customers answer their toughest cybersecurity questions — including how to accurately assess OT cyber risk.
To learn more about this latest release and how Claroty can support your CPS security journey, please check out our VRM solution briefs for xDome or Medigate, read the press release, or simply request a demo.
Key Steps to Managing Third-Party Risk in Healthcare
Medical Device Risk Management: Protecting Patient Care
Addressing Hospital Risk Management With Advanced Anomaly & Threat Detection
Interested in learning about Claroty's Cybersecurity Solutions?