12.14.21 Webinar Registration Confirmation
Thanks for registering for our webinar on December 14, 2021: Designing the Right OT Governance Structure & ApproachLearn More
Subscribe to stay in the loop with the latest OT cyber security best practices.
If you believe cybersecurity in the operational technology (OT), industrial control systems (ICS) or critical infrastructure space is all doom and gloom, you’re not alone based on the posturing of various attitudes or media sensationalism.
Legacy assets and zones that have zero common vulnerabilities and exposures (CVEs) or known vulnerabilities should keep you awake as an asset owner. This is a realistic warning for assets that are easily accessed short of physical tampering and complete isolation. This is not a call for you to spend atrocious amounts of your budget on cybersecurity, but more-so about being aware of measuring risk vs. compensating controls.
CVEs are represented by a score which is based on a publicly announced finding (ideally after a period of responsible disclosure) by the vendor and/or researching entity. Like many things with a free economy, it sounds like it should work as intended.
Looking at business motivations from a vendor’s perspective, it appears having little-to-no vulnerabilities means my competitors are less secure than my products. But as a cybersecurity professional and an asset owner, I’d argue there must be a certain amount of “skeletons” buried, particularly where legacy and insecure by nature design decisions exist.
Examining numerous product release notes, there is often a reoccurring theme illustrated in comments such as bug fixes (e.g., network stack), or logic errors (e.g., race-condition fixed on state machine). I’d bet those “fixes” are really referring to a pesky cybersecurity vulnerability and deliberately kept quiet by a vendor. Or a vendor’s internal CERT did not know about the vulnerability because it was not reported by the product teams. (This is an area we can all improve so no fingers directly pointed).
Yet, frequent releases vs. CVEs make the security (Eastern) front appear calm and serene.
CVEs are one metric used to identify which elements to fix, but not one that wholly identifies the owned risk. For example, the risk of a devious or disgruntled employee and minimizing downtime are risks to the business.
Ensuring the safety and reliability of equipment that impacts the bottom line is a newer subject in the field. Many organizations are beginning their journey into securing operational environments that contribute economically, to the business, and play a critical role in our lives.
So far, it has been a quiet war front, ranging from nation state events such as Stuxnet, Trisis, or the ransomware that has targeted Maersk, Mondelez, and Norsk. These events had significant impacts. If they were exploited to dangerous proportions directly or by accident, a CVE score would not have informed us of these threats.
There is a need for more commentary on the announcement of common vulnerabilities and exposures. Consumable content for operators who know their process, their infrastructure and their business should be at the forefront.
Cybersecurity professionals need to view risks in one centralized location, monitor them, and comprehensively understand them with complete with realistic risk profiles that represent criticality to the business. It should also include those pesky insecure by nature vulnerabilities because they do exist and need to managed for safety in the OT environment.
Be aware and cautious during seemingly routine vulnerability releases. Always formulate a plan: