CDV index insights
- While IT devices are sufficiently protected in most cases, OT is rarely protected at the level that is necessary.
- A connected devices vulnerability (CDV) index could be an answer that measures how vulnerable industrial facility’s systems are.
- A CDV index is crucial to measuring the preparedness of facility’s OT structure, especially when security and digital safety has fallen to the wayside.
While information technology (IT) security is always high on the list of priorities, operational technology (OT) security often gets lost in the shuffle. Managers assume IT has this area covered when in fact, IT departments are experts at enterprise security but ill-equipped to manage and safeguard OT security. This conundrum can leave your plant floor and industrial technology exposed to nefarious actors and adverse cyber events, both planned and accidental.
Making important business decisions about OT security requires measurable data points. Having a clear understanding of a plant’s OT digital footprint, safety and cyber preparedness is crucial, but until recently a metric for this did not exist.
There is a need for an OT security analytics tool and created the Connected Devices Vulnerability (CDV) Index, which is a method for understanding an industrial facility’s cyber preparedness and security vulnerability.
Similar to a FICO score for banking institutions, or a D&B Rating for businesses, a CDV index can provide crucial, measurable information that manufacturers and plant managers can use to understand vulnerabilities and see where improvements are needed.
The CDV Index quantifies and evaluates an industrial facility’s preparedness, resiliency, risks, threats, and progress toward addressing digital incidents that can negatively impact production, operations, the environment, and even human life. The CDV Index commonly factors in and considers asset characteristics like age, severity, depth, and segmentation among mitigation actions. All these things are evaluated together to determine a CDV Index score.
The CDV Index can then inform management about their plant’s unique vulnerabilities, and insurers about the relative security status of connected devices in industrial facilities. It paints a clearer picture of their OT security posture and reveals where gaps and improvements should be prioritized.
“Without an objective, measurable guide, businesses have no way of truly knowing the individual or collective security level of their ICS systems,” said Craig Duckworth, President, and Co-Founder of Velta Technology. “The manufacturing floor is a dynamic and fluid space that’s constantly changing, and most assets are not patched or maintained from a security posture standpoint. The CDV Index can allow for managers and decision-makers to assess their risk level, prioritize critical vulnerabilities, and see the progress they’ve made to ensure the plant is secure and on the right path.”
In a time when cybersecurity attacks are becoming increasingly common and CEOs are held to a growing risk of accountability for these incidents, ignoring OT security is no longer an option. Knowing and having a CDV Index score is an important place to start because it elevates awareness and lends understanding to vulnerabilities across plant floor and critical infrastructure industrial equipment.
Companies often don’t act or take precautions because they don’t expect to become the victim of a cyber attack. However, cybercrime is on the rise across every industry. Check Point Research (CPR) has found that global attacks increased by 28 percent in the third quarter of 2022, compared to the same period in 2021.
“Complacency or failure to take necessary steps to secure OT can lead to detrimental results, such as a complete stop in operations, costly downtime, and unnecessary repairs,” said Dino Busalachi, co-founder and Chief Technology Officer for Velta Technology. A perfect example of this is the 2021 Colonial Pipeline attack, where a ransomware attack on a U.S oil pipeline led to a multiple-day shutdown leading to regional gas shortages, higher prices at the pump, and a reported $5 million payout to the hacker group.
During a U.S. congressional hearing that scrutinized the incident, Michigan Senator Gary Peters said, “Make no mistake: if we do not step up our cybersecurity readiness, the consequences will be severe.”
A CDV Index is a tool to measure that readiness. Deducing a score begins with compiling an accurate inventory of connected devices and complementary data within your industrial network. Each asset requires a vulnerability search issued for each individual device and software/firmware level. This is followed by an active analysis and comparison of the results obtained.
The real-time CDV Index can also serve as a benchmark for insurance companies and help defend liability claims. According to a report by the U.S. Government Accountability Office, insurers have become more selective about who and what gets covered. The U.S. Treasury Department estimates more than $1 billion in damages occurred in 2021 stemming from ransomware-related transactions, which is likely just the tip of the iceberg. Providing an accurate, data-supported metric for digital safety can help mitigate this problem while exercising proper due diligence in thwarting a potential security breach.
“Insurance carriers took a huge hit in the past two years and are continuing to do so,” said Duckworth. “Cyber insurance rates are going up, sometimes two or three times as much and the coverage is decreasing. As policies become more exclusionary on coverage, organizations should be mindful to not rely on cyber insurance to back them up in case of an emergency and should instead be looking for real-time, ongoing cyber preparedness measurements that can prove to insurance carriers that the company is taking its industrial security seriously. The CDV Index can serve as an industry standard for insurance companies to see the real action companies are taking.”