Prioritizing remediation of vulnerabilities in OT cybersecurity

Remediation of vulnerabilities insights

• CISA continues to provide recommendations and solutions that simplify the complexity of cybersecurity, such as the Known Exploited Vulnerabilities list.
• Applying the recommendations and frameworks can be challenging in real-world scenarios due to lack of resources, challenging OT/ICS network and device environments, huge volumes of vulnerabilities and lack of detailed understanding of asset impact on operations.
• To identify and remediate risks, it is critical to prioritize which risks are most critical to address.

In recent months, the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations have released multiple notices about the importance of prioritizing vulnerabilities based on the true risk that they pose. On Nov, 10, 2022, CISA’s executive assistant director for cybersecurity posted a blog entitled: Transforming the Vulnerability Management Landscape. In his blog, Eric Goldstein highlights the challenges that operators face in dealing with the huge number of vulnerabilities that are unaddressed as well as the volume of new vulnerabilities released each week.

CISA is taking positive steps toward helping organizations with this challenge. CISA now publishes a list of known exploited vulnerabilities (KEV) with known exploits that begins to narrow down the prioritization process. Further, CISA has supported the development of a range of new capabilities such as the Common Security Advisory Framework (CSAF) to enable automated distribution of vulnerabilities for easier import into current organization databases and tools, and the Vulnerability Exploitability Exchange (VEX), where software vendors can assert whether or not a particular vulnerability impacts a particular product. This integrates with CSAF to allow vendors to distribute these in machine-readable formats. Finally, CISA has supported the Stakeholder-Specific Vulnerability Categorization (SSVC) to create a decision tree to prioritize what actions to take for a given vulnerability. This is the basis for the KEV mentioned above. The SSVC also offers a range of decision tree options depending on the organization’s mission.

All of these are great steps for organizations to prioritize the vulnerabilities in their environments. We applaud CISA for continuing to provide recommendations and solutions that simplify the complexity of cybersecurity, rather than add further complexity. As we wrote in prior posts about responding to growing operational technology (OT) vulnerabilities and spoke about in webinars about following CISA’s guidance to improve ICS security, CISA has remained consistent and highly practical in its recommendations for securing our critical infrastructure.

Putting CISA’s advice into practice

Even with all of these tools and frameworks, organizations still struggle with how to put this into practice. Resources, challenging OT/ICS network and device environments, huge volumes of vulnerabilities and lack of detailed understanding of asset impact on operations make applying the recommendations and frameworks challenging in real-world scenarios. If an organization has a dozen or three dozen production facilities, or perhaps a range of warehouses all running complex legacy OT and information technology (IT) systems, they often have a number of challenges in applying the prioritization:

• Lack of visibility into the endpoints themselves. Even with endpoint visibility, companies may lack vulnerability information as IT scanners can disrupt OT operations.
• No enterprise system to aggregate site-level information provided by control system original equipment manufacturers (OEMs).
• The age-old challenge of patching legacy OT systems.
• Lack of information on the impact of each asset on production to apply the SSVC models.
• Lack of a view of compensating controls that may reduce the risk of a particular vulnerability before it can be patched.
• An overwhelmed staff given the number of new ICS-CERT and other vulnerability alerts.

So how can an industrial organization apply the great recommendations and work of CISA?

360-degree risk remediation prioritization

For the past 15 years, Verve has helped critical infrastructure providers (manufacturers, power companies, oil and gas providers, transportation, etc.) identify risks AND remediate those risks in their environments. To do so, it is critical to prioritize which risks are most critical to address. Verve recommends what we call 360-degree risk prioritization.  It includes several key elements:

1. An endpoint view of the assets (hardware, software, firmware, patch level, users & accounts, etc.) on every asset in the environment. This endpoint view (as compared to a network traffic/packet inspection view) is absolutely critical to provide the level of depth and accuracy necessary to prioritize remediation actions.
2. A comprehensive view of the risks of each asset. Vulnerabilities are important, certainly. But they aren’t the only – or perhaps the greatest – risks to the infrastructure. In many environments, the greatest risks are weak access control, lack of password management, lack of accurate firewall and network protection rules, etc. Even with a fully patched system, these environments are at risk.
3. Vulnerability prioritization based on various factors, including the CISA Known Exploited Vulnerabilities and other sources. This allows a specific prioritization of the known software vulnerabilities.
4. Risk prioritization on each asset based on a combination of the vulnerabilities prioritization along with all of the other risk elements highlighted in No. 2 above as well as the asset criticality score.
5. Integrated remediation. It’s nice to know what you should do, but then executing that in OT is challenging.
6. Real-time tracking. One of the greatest challenges in risk remediation prioritization in OT/ICS is that organizations cannot regularly scan a system for new vulnerabilities or whether risks have been remediated effectively.

We applaud CISA for its recent efforts at helping organizations to prioritize vulnerabilities. We encourage all organizations to adopt these practices. We also strongly believe that it’s essential to make these recommendations practical for organizations by automating the prioritization, remediation and monitoring of risk.  Cybersecurity in critical infrastructure is a challenging task, with too few resources to defend. Automating comprehensive risk prioritization is the only way we can all stay ahead.

Original content can be found at Verve Industrial.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.