Traditional vulnerability management overlooks risky systems

A new report from Claroty finds that that 38 percent of the riskiest the cyber-physical systems (CPS) assets are overlooked by traditional approaches to vulnerability management.

CPS systems -- which integrate physical and computational components to monitor and control the physical processes -- represent a blind spot that is ripe for exploitation by threat actors.

Claroty's research group Team82 analyzed data from over 20 million operational technology (OT), connected medical devices (IoMT), IoT, and IT assets in CPS environments. It finds 1.6 percent of OT and IoMT are defined as 'high risk,' have an insecure internet connection, and contain at least one Known Exploited Vulnerability (KEV).

Of these ultra-high-risk OT and IoMT devices, 38 percent don't have a CVSS score of 9.0 or above -- meaning they go unnoticed by traditional vulnerability management methods, yet are ripe for exploitation by threat actors, signifying a high risk blind spot for organizations. Only 20 percent of OT and IoMT have CVSSv3.1 scores of 9.0 or above.

"It's important to understand the implications of any number higher than zero when measuring the risk associated with hyper-exposed assets used to control systems like the power grid or deliver life-saving patient care," says Amir Preminger, vice president of research for Claroty's Team82. "Organizations must take a holistic approach to exposure management that focuses on the ticking time bombs in their environment, because even if they somehow mastered the impossible task of addressing every single 9.0+ CVSS vulnerability, they'd still miss nearly 40 percent of the most dangerous threats to their organization."

To meet the evolving needs of manufacturing, healthcare, and other critical infrastructure organizations, Claroty is introducing a complete built-for-purpose CPS exposure management solution. This will use multi-data collection methods and tailored risk calculations that account for the business value of different aspects of the production process.

"Taking a vulnerability-focused view alone doesn’t help organizations focus on what matters most, leaving true exposures that can put safety and availability at risk," says Grant Geyer, chief product officer at Claroty. "Reducing risk requires an evolution from a traditional vulnerability management program to a more focused and dynamic exposure management program that considers unique CPS asset characteristics and complexities, unique operational and environmental constraints, organizational risk tolerances, and desired outcomes of the CPS cyber risk program."

You can get the full report on the Claroty site and register for a webinar on CPS security on May 30th at 11am ET.

Image credit: billiondigital/depositphotos.com