Blog / 5 min read
Today, it has become imperative that security leaders embrace risk-based vulnerability management (RBVM). With gaps between disclosed, patched, and exploited vulnerabilities continuing to widen, RBVM is truly integral to combating cyber threats — and this is especially true for organizations in critical infrastructure sectors. The operational technology (OT) assets, internet of medical things (IoMT) devices, and other cyber-physical systems (CPS) that underpin these industrial and healthcare organizations’ operations tend to be uniquely prone to not only having vulnerabilities — but also to being targeted by malicious actors eager to weaponize those vulnerabilities.
Being equipped with optimal risk assessment and vulnerability prioritization capabilities as part of a comprehensive RBVM strategy can empower security leaders to better protect their CPS amid these challenging conditions. Throughout the remainder of this blog, we will examine these and other key components of RBVM and how organizations can utilize them to tackle the most pressing CPS security challenges today.
Risk-based vulnerability management is a set of cybersecurity processes that aim to reduce an organization's attack surface by prioritizing the remediation of vulnerabilities based on their risk, which reflects: 1) how likely the vulnerability is to be exploited, and 2) if exploited, what the impact would likely be. As such, an effective RBVM strategy goes beyond just discovering or patching vulnerabilities — it helps you understand the risks they pose in the context of your organization and how to most efficiently and effectively allocate your resources to minimize exposure to those risks.
This strong emphasis on risk is, unsurprisingly, what distinguishes RBVM from traditional approaches to vulnerability management — most of which are guided by a variable that is distinctly different from (yet is often conflated with) risk: severity. The culprit stems from the standards with which common vulnerabilities and exposures, or CVEs, are evaluated as part of their disclosure process.
Specifically, the Common Vulnerability Scoring System (CVSS). CVSS is a way to evaluate and rank reported vulnerabilities in a standard and repeatable way via a numerical score reflecting their severity. This numerical score is commonly translated into a qualitative representation (such as low, medium, high, and critical) to help organizations provide a point of comparison between vulnerabilities, and to properly prioritize remediation of vulnerabilities. The use of CVSS scores is seen as the go-to method for organizations world-wide due to its assistance in determining which vulnerabilities to remindate first. However, CVSS is not the only tool needed for successful vulnerability management. As organizations continue to utilize manual, time consuming processes for vulnerability management or do nothing at all, they are faced with the following challenges:
CPS Visibility is often Minimal: CPS assets use proprietary protocols that are largely invisible to standard security tools. If you can’t identify a device, you can’t assess — much less manage — its vulnerabilities and risks.
Context Gaps Hinder Prioritization: Finding a vulnerability isn’t enough. You also need to assess the affected asset’s context and potential impact on your operations to prioritize and remediate the risk.
Conventional wisdom is at odds with the reality of managing CPS vulnerabilities: Nearly 70% of CPS vulnerabilities disclosed in 2022 received a CVSS v3 severity score of “high” or “critical,” yet less than 8% have been exploited. This discrepancy raises concerns about the conventional wisdom and solutions that recommend prioritizing remediation based on CVSS scores. Security teams following this recommendation are often not only overwhelmed; they may also be misdirecting resources towards vulnerabilities that are unlikely to be exploited, while overlooking those that are.
Standard Vulnerability Scanners are Unsafe: CPS environments and the assets that underpin them are uniquely fragile and cannot tolerate the traffic generated by standard vulnerability scanners.
Patching is Rarely Permitted: Most CPS environments have no tolerance for downtime, so maintenance windows — and, as a result, patching — occur rarely, no matter the vulnerability or risk.
As many organizations struggle to effectively prioritize risk and successfully remediate their most critical vulnerabilities, it is important that they find a solution to help them meet RBVM challenges and ensure resilience throughout their critical environments. In order to tackle healthcare and industrial vulnerability management challenges head-on, organizations should evaluate vulnerability management solutions that:
A granular and flexible risk scoring framework should account for an expanded range of factors that can increase risk, as well as compensating controls that can offset risk. It should also help to more closely align CPS risk calculations with existing governance, risk, and compliance (GRC) processes. Having a CPS risk scoring framework with these capabilities will allow organizations to effectively and efficiently assess their posture, and give them the ability to improve their CPS security right away.
The most efficient way to prioritize vulnerabilities based on their exploitation likelihood is through the Known Exploited Vulnerabilities (KEV) catalog and Exploit Prediction Scoring System (EPSS). The KEV catalog is a compilation of documented security vulnerabilities which have already been successfully exploited. EPSS, on the other hand, uses a data science model to estimate which vulnerabilities are likely to be exploited within the next 30 days. Automatically combining these two indicators of risk provides organizations with the ability to efficiently prioritize the vulnerabilities that threat actors are most likely to leverage.
Every CPS environment is unique, which means that risk-based vulnerability management strategies must be tailored specifically to each organization's needs. Luckily, Claroty has enhanced their SaaS platforms’ vulnerability and risk management (VRM) capabilities to meet the growing challenges of RBVM and to help critical organizations strengthen their CPS risk posture. VRM’s new risk framework accounts for an expanded range of factors that can increase or offset risk — from compensating controls, to compliance considerations, and more. VRM also allows organizations to align with existing GRC processes and risk priorities, providing them with greater control over how different factors are weighted in their CPS risk posture assessments.
In terms of vulnerability prioritization, VRM automatically assigns CPS vulnerabilities based on the KEV catalog and the EPSS, as well as the criticality and risk of affected assets — allowing organizations to more effectively prioritize the vulnerabilities that matter most. As CISO’s and security teams face an increasingly uphill battle when tackling risk-based vulnerability management, it is important they are equipped with the tools to address the toughest cybersecurity challenges, and to protect their critical CPS environments from growing threats.