The hidden vulnerabilities in our industrial backbone
Over the decade, our team at Verve has conducted dozens of ICS risk assessments across various sectors, from power generation to pharmaceuticals. What we’ve uncovered is both eye-opening and alarming.
Did you know that the average industrial site harbors over 1,000 critical vulnerabilities? Or that 80% of companies lack tested incident response plans? These findings underscore a crucial truth: traditional approaches to cybersecurity fall short in the complex world of operational technology (OT).
We’ll explore why integrated risk management isn’t just important—it’s imperative for the future of industrial cybersecurity.
Subscribe to our newsletter to stay in the loop with the latest OT cyber security best practices.
Verve's Biweekly Newsletter
Subscribe to stay in the loop with the latest OT cyber security best practices.
Fill out form below
5 key findings from OT risk assessments
#1: The average industrial site has over 1,000 critical vulnerabilities and hundreds of missing critical patches.
Our data shows that even the companies regularly applying OEM-distributed and approved software patches still had hundreds of vulnerabilities present because the distributions did not include many important third-party application patches such as Adobe and Java.
#2: Only 15-20% of the companies in our study leveraged rigorous network segmentation for increased protection.
While almost two-thirds had hardware capable of providing some level of network protection, many of these were improperly or incompletely configured and designed, reducing the security effectiveness of these network protections.
#3: The vast majority of embedded OT devices such as PLCs, relays, RTU’s, VFDs, meters, controllers, etc. had very limited or no published vulnerabilities.
However, most of the embedded OT devices showed unpublished risks (risks buried in their firmware like unpublished VxWorks) or insecure configurations that cyber attackers could target to negatively impact critical operations.
#4: The average workstation/HMI contained multiple dormant or unnecessary users and accounts, and failed roughly half of the configuration hardening checks conducted by the Verve Security Center.
Together, this creates a significant opportunity for inappropriate access without ample protection.
#5: Approximately 80% of the companies did not have tested, prioritized incident detection, response, and recovery tactics in place.
This included a range of gaps including a lack of tested, automated, and up-to-date backups. We observed a lack of asset criticality view, and a lack of plant-based personnel awareness into the types of operational issues that might trigger an incident escalation.
The OT Security Conundrum
Addressing these risks is no small feat. Limited staff, often lacking specialized security training, face an uphill battle. Traditional IT solutions fall flat in OT environments, where systems may be unpatchable or devoid of basic security controls.
Organizations must grapple with three pivotal questions:
- Which actions will most effectively mitigate operational risks?
- Where should we focus our efforts first?
- How can we implement a sustainable, long-term security improvement plan?
Answering these questions is crucial to developing a strategic OT security approach that maximizes risk reduction within real-world constraints. The path forward lies in embracing innovative solutions tailored to the unique challenges of OT environments.
Using a 360-Degree approach to OT risk management
Our answer to these questions is what we refer to as 360-degree OT Risk Management. This approach has two broad themes:
360-degree prioritization
First, provide true risk prioritization and remediation planning by taking a 360-degree view of each asset in the environment. 360-degree prioritization implies looking deeper into the asset’s attributes than simply the OS and known vulnerabilities and where it sits in the network.
You need to identify those things, plus:
- All users and accounts both dormant and in-use
- All current endpoint protection and its status and recency of update
- Configuration settings to understand whether they are hardened or not
- The criticality of the asset to the overall process
- The recency and accuracy of backups
- Whether or not devices have dual NICs that may allow for routing around network protections.
This 360-degree view allows businesses to then calculate a true risk score for that asset, relevant for that process.
With that data in hand, operators can effectively prioritize their remediation plans. Which assets need to be patched first? Which are protected by compensating controls and, therefore, may be the lower priority? Which have potential user/account/access risks that would not be seen by a traditional vulnerability scan? Which can be further protected by locking down application allowlisting rules which are too lenient?
The alternative to this process is an overwhelming complexity in the operational execution of these initiatives at the plant level. Through centralization and automated scoring, this analysis can be streamlined and made significantly more efficient.
Closed-loop remediation management
Second, integrate the 360-degree risk prioritization with “closed-loop remediation management”. Current approaches for OT vulnerability assessment and remediation are too time-consuming. After conducting a vulnerability assessment, either by scanning or manually checking vulnerabilities, operators tend to implement OEM-approved patches in addition to testing any non-supplied patches on their systems and rolling those out individually.
The alternative in many cases is risky when pushing patches from WSUS or other tools. Other risks, such as user access and configuration hardening, each require manual intervention on a device or linking to an active directory which may not be available. Finally, monitoring the risk involves looking at multiple different screens and tools such as allowlisting, AV, and network detection.
We encourage operators to adopt closed-loop remediation management to link data from the assessment function directly to automated remediation capabilities.
Closed-loop remediation significantly reduces the manual effort required to mitigate risks. This doesn’t imply a centralized, one-size-fits-all approach. Instead, we advocate for a “Think Global, Act Local” strategy. This means:
Global thinking: Standardizing risk analysis and remediation planning across the organization for consistency and efficiency.
Local action: Empowering local technicians with automated tools to execute the final remediation steps. This leverages their in-depth knowledge of the specific plant and its unique systems.
Watch on Demand:
Vulnerability Management in OT
Effective OT vulnerability management requires more than threat detection; it’s about comprehensive risk mitigation and prioritized remediation. This webinar explores the key components of a robust OT vulnerability program, including asset visibility, risk contextualization, and continuous assessment. Learn how to navigate the challenges of OT environments, from tool selection to implementing compensating controls when patching isn’t feasible.
3 Ways to Reduce Risk for OT Security
From asset/device visibility to OT system inventory
A holistic perspective of the entire system and all of its hardware, software, connectivity, and users, is necessary for comprehensive risk assessment. To do this, it’s important to move beyond the basic knowledge that a device is present on the network and what OS version it is running. You’ll also need to gather insights on all application software such as versions, user accounts, configuration of networking gear, secure settings on Windows equipment, among other datapoints.
From vulnerability identification to OT risk assessment
Understanding the full risk of an asset is critical in OT. Risk includes things such as unnecessary and risky application software (even if up to date), dormant or shared user accounts, insecure configurations, gaps in network protection, and devices that have insecure design built-in. These risks may be partially offset by compensating controls such as firewall protection, application allowlisting, and very tight user access control. 360-degree risk assessment takes these different components into account to form a risk score on each asset to assess its relative risk score. When combined with the process criticality of that system, a true risk assessment is possible.
From OT asset identification to true OT risk remediation
Resource constraints are one of the largest challenges in making significant improvements in OT cyber risk maturity. We must move beyond just identifying potential risks and vulnerabilities to prioritizing specific actions that efficiently drive the greatest risk reduction.
This includes two elements. First, we must prioritize actions based on the most efficient means of risk reduction using the 360-degree view above. Second, introducing automation allows limited resources to deliver maximum impact. Move away from standalone tools that only provide detection or assessment, to tools and processes that then allow for automation of the remediation actions – done in a way with local control over those actions.
By combining these three steps, we have the chance to drive significant, rapid maturity improvement even in a world of limited resources.