Prioritizing Vulnerability Remediation in OT Cybersecurity

Over the past several weeks, CISA and other organizations have released multiple notices about the importance of prioritizing vulnerabilities based on the true risk that they pose. Today (as we write this, November 10, 2022) CISA’s Executive Assistant Director for Cybersecurity posted a blog entitled: Transforming the Vulnerability Management Landscape. In his blog, Eric Goldstein highlights the challenges that operators face in dealing with the huge number of vulnerabilities that are unaddressed as well as the volume of new vulnerabilities released each week.

CISA is taking positive steps toward helping organizations with this challenge. CISA now publishes a list of known exploited vulnerabilities (KEV) with known exploits which begins to narrow down the prioritization process. Further, CISA has supported the development of a range of new capabilities such as the Common Security Advisory Framework (CSAF) to enable automated distribution of vulnerabilities for easier import into current organization databases and tools, the Vulnerability Exploitability Exchange (VEX) where software vendors can assert whether or not a particular vulnerability impacts a particular product. This integrates with CSAF to allow vendors to distribute these in machine-readable formats. Finally, CISA has supported the Stakeholder-Specific Vulnerability Categorization (SSVC) to create a decision tree to prioritize what actions to take for a given vulnerability. This is the basis for the KEV mentioned above. The SSVC also offers a range of decision tree options depending on the organization’s mission.

All of these are great steps for organizations to prioritize the vulnerabilities in their environments. We applaud CISA for continuing to provide recommendations and solutions that simplify the complexity of cyber security, rather than add further complexity. As we wrote in prior posts about responding to growing OT vulnerabilities and spoke about in webinars about following CISA’s guidance to improve ICS security, CISA has remained consistent and highly practical in its recommendations for securing our critical infrastructure.

Even with all of these tools and frameworks, we find that organizations still struggle with how to put this into practice. Resources, challenging OT/ICS network and device environments, huge volumes of vulnerabilities, and lack of detailed understanding of asset impact on operations make applying the recommendations and frameworks challenging in real-world scenarios. If an organization has a dozen or three dozen production facilities, perhaps a range of warehouses, etc. all running complex, legacy OT and IT systems, they often have a number of challenges in applying the prioritization:

• Lack of visibility into the endpoints themselves and even with endpoint visibility may lack vulnerability information as IT scanners can disrupt OT operations
• No enterprise system to aggregate site-level information provided by control system OEMs
• The age-old challenge of patching legacy OT systems
• Lack of information on the impact of each asset on production to apply the SSVC models
• Lack of a view of compensating controls that may reduce the risk of a particular vulnerability before it can be patched.
• An overwhelmed staff given the number of new ICS-CERT and other vulnerability alerts.

So, how can an industrial organization apply the great recommendations and work of CISA?

360-degree risk remediation prioritization

For the past fifteen years, Verve has helped critical infrastructure providers (manufacturers, power companies, oil and gas providers, transportation, etc.) identify risks AND remediate those risks in their environments. To do so, it is critical to prioritize which risks are most critical to address. Verve has developed what we call 360-degree risk prioritization.  It includes several key elements:

1. An endpoint view of the assets (hardware, software, firmware, patch level, users & accounts, etc.) on every asset in the environment. This endpoint view (as compared to a network traffic/packet inspection view) is absolutely critical to provide the level of depth and accuracy necessary to prioritize remediation actions.
2. A comprehensive view of the risks of each asset. Vulnerabilities are important, certainly. But they aren’t the only – or perhaps the greatest-risks to the infrastructure. In many environments, the greatest risks are weak access control, lack of password management, lack of accurate firewall and network protection rules, etc. Even with a fully patched system, these environments are at risk. Therefore, Verve gathers all of this risk data into a single console for easier trade-offs.
3. Vulnerability prioritization based on various factors, including the CISA Known Exploited Vulnerabilities and other sources. This allows a specific prioritization of the known software vulnerabilities.
4. RISK prioritization on each asset based on a combination of the vulnerabilities prioritization along with all of the other risk elements highlighted in Number 2 above as well as the asset criticality score. Verve’s heritage as a controls system integrator allows us to identify those assets and systems with the greatest criticality to operations. Verve then brings that into an overall risk score to help prioritize remediation.
5. Integrated remediation. It’s nice to know what you should do, but then executing that in OT is challenging. Verve integrates the remediation directly into the assessment platform to accelerate the time to remediation as well as allow for confirmation of remediation actions.
6. Real-time tracking. One of the greatest challenges in risk remediation prioritization in OT/ICS is that organizations cannot regularly scan a system for new vulnerabilities or whether risks have been remediated effectively. Verve’s platform, however, solves that problem by providing updated vulnerability and risk scores every 15 minutes. This allows organizations to have a real-time view of their risk remediation and demonstrate real risk reduction over time.

We applaud CISA for its recent efforts at helping organizations to prioritize vulnerabilities. We encourage all organizations to adopt these practices. We also strongly believe that toolsets like Verve make these recommendations practical for organizations by automating the prioritization, remediation, and monitoring of risk.  Cybersecurity in critical infrastructure is a challenging task – with too few resources to defend. Automating comprehensive risk prioritization is the only way we can all stay ahead.