Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
Claroty, a cyber-physical systems (CPS) protection firm, found that traditional vulnerability management approaches overlook 38 percent of the riskiest CPS assets. This gap poses a significant blind spot that could be exploited by threat actors. Claroty’s Team82 analyzed over 20 million operational technology (OT), connected medical devices (IoMT), IT, and IoT assets, revealing that a substantial portion of the highest-risk OT and IoMT assets would be missed by conventional vulnerability management methods.
Oftentimes, these devices and control systems are often directly communicating over the internet rather than through a secure access solution, and they contain vulnerabilities that have already been publicly attacked.
“Other factors such as misconfigurations or the use of weak or default credentials further add to the risks facing these systems, the severity of which is underscored in a recent CISA/FBI/NSA alert warning of Russian state-sponsored activity targeting water facilities, dams, food, energy, and agriculture providers,” Claroty detailed in its report titled ‘THE CPS Blind Spot: The Riskiest Cyber-Physical Systems Being Overlooked By Traditional Vulnerability Management Approaches’. “The attacks target exposed industrial control systems, including HMIs, that are directly connected to the internet and secured with weak or default passwords,” it added.
It also disclosed that 20 percent of OT and IoMT have CVSS v3.1 scores of 9.0 or above, which is a metric representing the traditional approach to vulnerability management, relying solely on the Common Vulnerability Scoring System version 3.11. This volume is too overwhelming and resource-intensive for most organizations to realistically address, especially on CPS assets with limited windows for patching, and provides no indication of where to start remediation efforts.
Claroty’s Team82 said that 1.6 percent of OT and IoMT are defined as ‘high risk,’ have an insecure internet connection, and contain at least one KEV – the apex of exposure factors that together pose a real, imminent danger to organizations. This represents tens of thousands of high-risk CPS assets that can be accessed remotely by threat actors and contain vulnerabilities actively exploited in the wild.
Of these ultra-high-risk OT and IoMT devices, 38 percent do not have a CVSS score of 9.0 or above meaning they go unnoticed by traditional vulnerability management methods, yet are alarmingly ripe for exploitation by threat actors, signifying a high-risk blind spot for organizations.
“It’s important to understand the implications of any number higher than zero when measuring the risk associated with hyper-exposed assets used to control systems like the power grid or deliver life-saving patient care,” Amir Preminger, vice president of research for Claroty’s Team82, said in a Tuesday media statement. “Organizations must take a holistic approach to exposure management that focuses on the ticking time bombs in their environment because even if they somehow mastered the impossible task of addressing every single 9.0+ CVSS vulnerability, they’d still miss nearly 40% of the most dangerous threats to their organization.”
To address this blind spot, Claroty is introducing a purpose-built CPS exposure management solution, enabling organizations to reduce their attack surface by prioritizing immediate threats. The solution aligns with the Gartner Continuous Threat Exposure Management (CTEM) framework to cater to the needs of manufacturing, healthcare, and critical infrastructure sectors. It helps customers assess their current CPS risk posture, optimize resource allocation for enhanced efficiency, and expedite their journey toward CPS security maturity, regardless of their initial status.
“Taking a vulnerability-focused view alone doesn’t help organizations focus on what matters most, leaving true exposures that can put safety and availability at risk,” Grant Geyer, chief product officer at Claroty, detailed. “Reducing risk requires an evolution from a traditional vulnerability management program to a more focused and dynamic exposure management program that considers unique CPS asset characteristics and complexities, unique operational and environmental constraints, organizational risk tolerances, and desired outcomes of the CPS cyber risk program.”
Capabilities of Claroty’s CPS-native exposure management solution cover the inclusion of CPS devices in exposure management programs to leverage multi-data collection methods and tailored risk calculations that account for the relative business value of different aspects of the production process. The approach lays the foundation for network scoping to secure areas that may be blindspots for traditional enterprise solutions and account for operational outcomes when prioritizing security controls.
It also includes CPS discovery and vulnerability assessment that identifies and profiles CPS assets using highly flexible discovery methods, including Claroty Edge and associated SBOMs, mapping their communication paths and protocol usage, attributing vulnerabilities, and monitoring for threats, resulting in risk scores based on a transparent and uniquely tailored risk framework. It also offers support prioritization for critical CPS processes to receive actionable recommendations that prioritize remediation efforts based on quantified outcomes as defined by specific attack vectors and their likelihood of being exploited, impact if exploited, and compensating controls that have been applied.
The Claroty offering also includes safe validation of exposure scenarios: Go beyond vulnerability management by investigating exploitability using VEX files and additional discovery tactics such as active scanning techniques, or consulting with OEMs to validate risk assessments and enable proper remediation techniques. It also streamlines remediation and program mobilization to Integrate with the industry’s leading IT/OT cybersecurity and asset management solutions to streamline existing risk management processes and mobilize CPS exposure management.
Related
