Whether an organization is managing vulnerabilities within information technology (IT) or operational technology (OT) systems, prioritization stands as a huge factor for impactfully reducing the risk of attacks that leverage flaws within these systems. Organizations will always find more flaws in their assets than their team will ever be able to fix. The trick is sifting through all these vulnerabilities and first addressing the ones that pose the biggest risk to an organization.
We initially started this blog series on best practices in OT vulnerability management with a general explanation of why vulnerability management in ICS environments is very different than in the traditional IT world of servers and enterprise endpoints. In this second installment of the series, we’ll put an exclamation point on that by specifically explaining how remediation prioritization differs in OT versus IT, and why industrial organizations need specialized guidance in setting ongoing priorities for their OT vulnerability management programs.
Prioritization’s role in vulnerability management
One useful model that depicts the four stages of vulnerability management is broken down as follows:
- Discover assets: Create an asset inventory across which vulnerabilities will be managed.
- Identify/classify: Find and document vulnerabilities across asset portfolio through vulnerability assessment.
- Prioritize: Rank identified vulnerabilities by risk to decide what gets fixed and when.
- Remediate/mitigate/accept: Act on prioritization by either fixing flaws, instituting compensating controls around them, or accepting the risk of the vulnerability if other factors require it.
In the critical prioritize stage, vulnerability actions tend to be determined by classification data like common vulnerability scoring system (CVSS) scoring about a flaw’s severity, as well as intelligence about how it is typically exploited in the wild. This should also reflect business risk based on what the asset is, how it is used, and what the potential impact could be for the business.
Why OT prioritization is different
Prioritization of OT vulnerabilities takes special care because there are so many added dimensions of risk to be considered that don’t exist for IT systems. IT vulnerability priorities are primarily set using severity scoring and (sometimes) business criticality of an asset. But OT asset managers must also consider operational and physical world ramifications of an exploited vulnerability. These concerns can often completely change prioritization calculations in OT environments.
Unfortunately, OT vulnerabilities are on a marked uptick and many of the standard risk advisories that impact OT systems are riddled with errors and lack appropriate mitigation advice. In the 2021 Dragos Year In Review, Dragos explained the number of published ICS and OT vulnerabilities has nearly doubled from 2020 through 2021. Dragos analysis of 1703 ICS/OT common vulnerabilities and exposures (CVEs) in 2021 showed:
- 38% of OT vulnerabilities contained errors in the Common Vulnerability Scoring System (CVSS) score associated with the CVE.
- 24% had no patch
- 19% had no patch and no alternate mitigation
- 64% with a patch had no alternate mitigation
- 35% of ICS and OT vulnerability advisories in 2021 could cause both a loss of view and loss of control in an OT system
Identifying critical “crown jewel” assets – those crucial to keeping industrial machinery operating, for instance – is key in making OT vulnerability prioritization decisions. But it doesn’t provide a clear-cut determination of escalation to immediate action, either.
Often crown jewel assets also carry the highest operational risk if they’re disrupted by vulnerability remediation activity. They’re also critical pieces of equipment that are ideally the most likely to be protected by the most security controls in an OT environment. So, the decision is much more nuanced than that.
Organizations need to also consider internal factors such as which are the most connected systems in their OT networks – connected to third parties, different vendors, and the outside world, especially if a path to the internet exists through these assets. Those are systems that are normally at the most risk to many of the OT vulnerabilities that surface. Additionally, threat intelligence about how vulnerabilities are leveraged in the wild within OT environments plays a factor.
The number of ICS/OT vulnerabilities discovered may have doubled between 2020 and 2021, but Dragos found that only 4% of these flaws required immediate action because they were being actively exploited in the wild or for which there was a public exploit available. The trick, of course, is understanding which 4% of the flaws are the ones that are most important. This is why a mature vulnerability management program, backed by an automated platform that can provide ready made guidance on vulnerability priorities, is so very important.