Prioritizing Asset Risk Management in OT Security

What is OT Asset Risk Management and Prioritization?

Asset risk prioritization is vital in enterprise asset management in critical infrastructure. Its objective is to rank Operational Technology (OT) assets based on two key dimensions:

1) their criticality to organizational operations

2) the potential cybersecurity risks they pose

This prioritization process informs decisions regarding enhancements, maintenance, related projects, and investments.

Independently assessing both dimensions is essential in OT. While certain assets may exhibit high cybersecurity risk exposure, they might not be as crucial to the operational process. Conversely, assets with lower exposure scores may require prioritization due to their critical role. This distinction is especially significant in OT due to the unique challenges associated with vulnerability management and remediation.

Challenges with Asset Risk Prioritization

Implementing the concept encounters several obstacles:

• Assessing an asset’s criticality involves considering its primary function and its impact on other functions it supports.
• Customizations tailored to specific processes or functions, such as logic or configurations, add complexity.
• Accessing expertise may be difficult, especially if integrators are unavailable or subject matter experts have retired.
• Many organizations lack comprehensive criticality analyses, hindering accurate prioritization.
• Exposure assessments often focus solely on Common Vulnerabilities and Exposures (CVEs), overlooking inherent vulnerabilities like account settings and communications.
• CVEs may not accurately reflect risks in OT environments.
• Cyber-related exposures and threats evolve continuously, requiring ongoing assessment.
• The effectiveness of compensating controls for risk management varies, impacting each asset differently.
• Exposures are interconnected, complicating manual analysis of their interrelation.
• Organizational deployment and architectures influence risk levels.

Prioritizing asset management based on associated risks is complex. Leveraging technology can alleviate some challenges, particularly for organizations initiating their cybersecurity journey, provided they have sufficient asset data and a basic understanding of their industrial control systems.

Four Steps to Conduct Effective Critical Asset Risk Assessment

Step 1: Get a Comprehensive Understanding of the OT System(s)

Conduct a thorough examination of the OT system(s) involved, encompassing:

• Hardware and software inventory
• Network connectivity
• Process flows and device purposes
• Users and accounts
• Configuration settings
• Presence of protective security layers, among other factors.

Step 2: Assign Asset Criticality Metrics

• Establish a framework for assigning criticality scores, which may already exist due to regulatory safety processes.
• Evaluate the business impact of potential disruptions to accessibility, integrity, confidentiality, etc., considering safety, volume, and profitability factors.

Step 3: Calculate Asset Scores

• Determine exposure scores for each asset by assessing known and potential risks, including:
• Known Common Vulnerabilities and Exposures (CVEs) based on sources like NIST and ICS CERT.
• Identify “insecure by design” elements such as password management and open ports.
• Exploration of potential compensating controls, such as firewalls and application whitelisting, to mitigate exposure.

Step 4: Prioritize and Execute Remediation Actions

• Develop lists and campaigns to address identified risks or areas requiring attention, aligning with the organization’s preferred scoring results.
• Adhere to change management processes, implementing changes within the environment based on the identified lists and changes from the local site.
• Regularly review and monitor changes or address unmitigated risks if remediation is not feasible.

Manage OT Security Risks with Tech-Enabled Risk Prioritization

Executing the aforementioned process manually presents significant challenges. Leveraging technology is essential for establishing a robust OT asset risk prioritization framework. While no singular solution can completely determine your cyber risks, it’s crucial to:

a) Automate the asset information and inventory process to gather the most comprehensive asset data possible.

b) Integrate your organization’s expertise and established processes seamlessly.

c) Enable the calculation of blended risk scores, incorporating criticality and exposure factors from various sources such as results from NERC CIP audits, Cyber PHAZOPs, and third-party assessments. This ensures that findings and concerns are adequately addressed within the platform.

Technology does not replace the need for organizations to assess relevant threats thoroughly. Instead, it empowers organizations to transition from mere awareness of risks or threats to a more pertinent risk prioritization model—one that is both repeatable and continuously evolving.

OT Risk Management Best Practices

At Verve, our extensive experience working with industrial clients over the past twelve years has provided invaluable insights into implementing a technology-driven risk management approach.

Achieve Full Endpoint Visibility

One of the primary challenges organizations encounter is the lack of thorough endpoint visibility across their networks. Known as 360-degree visibility, this entails more than sporadic manual inventories or passive solutions. It requires a deep understanding of endpoints, including full software inventory, patch status, user accounts, configuration details, antivirus updates, and backup status. While passive solutions offer initial insights, they have inherent limitations in effectively capturing and interpreting data.

Use OT-Specific Assessment Technology

Effective risk scoring demands specialized assessment and scoring technology tailored to OT environments. Relying on manual methods or generic IT-centric tools often results in outdated or incomplete data due to the intricate nature of OT assets. The ideal technology should provide real-time insights into asset criticality and exposure, incorporating both direct asset data and tacit knowledge from OT professionals. Understanding the nuances of OT risk, rather than relying solely on generic risk metrics like CVSS scores, is essential for accurate risk prioritization.

Prioritize Remediation Efforts

Continuous improvement is key in OT security. While assessments are crucial for identifying threats and risks, effective risk management extends beyond assessment to include proactive remediation. Organizations can streamline security efforts and accelerate the remediation process by integrating remediation capabilities into the same toolkit used for assessments. This unified approach ensures ongoing measurement and progress reporting, ultimately enhancing the overall security posture without adding unnecessary complexity.

In summary, a technology-enabled risk management approach encompasses comprehensive endpoint visibility, specialized OT assessment technology, and proactive remediation capabilities, enabling organizations to mitigate risks and safeguard their industrial assets effectively.

Verve Exposure Scores Guide Criticality and Vulnerability

For over a decade, Verve has partnered with clients to address risk prioritization challenges. Verve developed a scoring mechanism integrated into the Verve Security Center to tackle common issues with asset inventory management and prioritization. This mechanism helps asset owners gain deeper insights into their assets, allowing them to filter by detailed type, applications, nature, and criticality or examine exposure factors, including compensating controls, to identify host vulnerabilities.

The above image is a screenshot from the Verve Asset Manager (VAM), serving as the central hub for overseeing inventoried assets. This platform provides many details and calculations, facilitating the organization and management of potentially hundreds or thousands of assets. Users can efficiently sort through this information by filtering based on specific asset types, criticality levels, and exposure assessments.

Verve’s asset inventory management tool provides comprehensive reporting on asset details for global visibility across all sites. Within the reporting console, vulnerabilities are aggregated and ranked to facilitate effective governance and management of critical risks.

Moreover, Verve offers direct remediation of threats from the console. As you prioritize asset risks, users can swiftly pivot to remediation to address the most critical risks or identify compensating controls for implementation.

The Importance of Effective Asset Risk Prioritization

OT asset risk prioritization stands as a cornerstone in OT security and systems management. Given the constraints of limited resources and the inherent complexities of remediation actions like patching, OT security leaders require a robust prioritization framework to ensure effective security measures.

A comprehensive OT asset risk prioritization platform featuring a 360-degree asset view, robust exposure, and criticality scoring, alongside remediation capabilities, significantly enhances the efficiency and maturity of OT security.

This integrated OT cybersecurity platform provides detailed asset information, delivering filterable results for prioritization, attributes, vulnerabilities, and risk exposures at a glance. Moreover, it empowers organizations to take action at the site level while gaining a global perspective across all sites, facilitating informed and prioritized decision-making.