Much of creating a strong cybersecurity posture comes down to risk management. Threat actors are out there, and they have more tools at their disposal than ever. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently established a public catalog of vulnerabilities known to be exploited in the wild and issued a binding operational directive ordering federal agencies to patch those systems. But what impact will this really have? And what does it mean for non-government organizations?
The last few years have been eventful in terms of operational technology (OT) cybersecurity incidences, with attacks on critical infrastructure like Colonial Pipeline and the water utility in Oldsmar, Florida. While this has put OT security on the radar, companies are still trying to figure out how to mitigate their own particular version of risk. According to Jim Cook, COO of Velta technology, CISA’s Known Exploited Vulnerabilities Catalog is not getting the attention it deserves. Last November, CISA began publishing a catalog of known exploits, or common vulnerabilities (CVEs), to help companies prioritize their risk management. Once companies know which vulnerabilities are out there and relevant to their environment, they can start patching and securing their systems.
“They’ve got a good process in place now where these get published in a central essential repository, the numbers are logged,” Cook said. “They’re on all different technologies, whether it’s firmware, software platforms, and you can go and look and review.”
The IT/OT divide
For the OT side, patching systems can be a complicated process because, unlike with information technology (IT), they generally can’t patch on a regular basis. They’re often working with older legacy systems, and any downtime can be costly for companies. As a result, OT vulnerabilities tend to back up — there can literally be thousands — leaving critical systems open to breach.
Cook said the CISA catalog is a great place for companies in trouble to start. These are vulnerabilities the Department of Homeland Security (DHS) and other government organizations know threat actors are actively try to exploit. We know they’re out there; we know they’re vulnerable and we know how to fix them.
“It’s a great place to say, ‘I’ve got 2,000 or 10,000 open vulnerabilities sitting in my OT. I can’t fix them all. Where do I start?’” Cook said. “Well, I’d start by the ones that the threat actors are currently trying to compromise. And, quite frankly, the Log4j that just came out recently, was published, went straight to the exploit list.”
The primary goal of this list is to help organizations prioritize patching. But, again, there is a divide between IT and OT. IT runs patches frequently, essentially whenever they can. It’s the complete opposite for OT. They’re often not in an environment where shutting down production is an option. There are systems that if a company were to shut them down, they might be jeopardizing a $5 million piece of equipment, Cook said. If you’re talking about melting steel, for instance, that machine has likely been running for 10 or 15 years, and you would have to shut it down to patch it. Therefore, alternate mitigations need to be put in place.
When your organization has thousands of vulnerabilities, it can also be difficult to determine which to focus your efforts on. This CISA list can help here, too.
“Every vulnerability has a one to 10 rating,” Cook said. “When they get on the exploit list, to borrow a phrase from ‘Spinal Tap,’ these are 11’s. So let’s deal with the 11’s. Do we have to put other mitigating controls and extra firewalls in place, further segmentation? I’m not going to say air gap because air-gapping is not real in my opinion. But [put] other steps in place because that has a serious impact. It’s not about data loss. It’s not about your digital exposure. It’s about that physical impact.”
The Known Exploited Vulnerabilities Catalog
So why did it take so long for a list this important to finally become a reality? As with any government organization, much of the necessary information was still broken up into pieces. There are different governmental organizations that all had their own cybersecurity roles and responsibilities; CISA was formed as the roll-up of all them.
“One of the cybersecurity mantras from the private sector has been, ‘We need more sharing. We need more transparency. How are we supposed to fight things when nobody tells us what we’re fighting? I can’t fight on a thousand fronts, but maybe I can fight on 50 fronts,’” Cook said. “And CISA, with not a whole lot of fanfare in my opinion, suddenly produced this at the beginning of November.”
The catalog is continually being updated, and CISA even sends out emails alerting subscribers of new known exploited vulnerabilities. This is helping shrink the cycle from published vulnerability to solution tremendously, Cook said. It used to take months, if not years, and now it’s only days.
“Now that this is coming to light and it’s becoming actionable information, companies should as a base level, have capabilities to respond to those vulnerabilities and patch management,” Cook said.
To help manage risk, companies need to go back to basic enterprise risk management principles. What’s the likelihood, and what’s the impact of a particular compromise threat or risk? What this list says is that your likelihood of attack just went way up.
“If it’s likelihood times impact, companies need to be paying attention to it,” Cook said.
In the same way companies look at business processes, they need to approach cybersecurity capabilities as a continuous improvement risk reduction process. For example, does a company in the Midwest need hurricane insurance? Not likely. Cybersecurity should be asking those same sorts of questions.
“This is helping to really call out the true likelihood if you have this vulnerability,” Cook said. “That means people are actively trying to take advantage of those vulnerabilities. That is putting an organization at risk if it isn’t properly addressed.”
Check out Part 1 of our interview with Velta Technology’s Jim Cook, where he talked about understanding cyber insurance. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.