Traditional approaches to vulnerability management result in a narrow focus of the enterprise attack surface area that overlooks a considerable amount of risk, according to Claroty.
Organizations must take a holistic approach to exposure management
To understand the scope of exposure and the associated risk facing cyber-physical systems (CPS) environments, Claroty’s research group Team82 analyzed data from over 20 million operational technology (OT), connected medical devices (IoMT), IoT, and IT assets in CPS environments.
The research focused on assets that are defined as “high risk,” have an insecure internet connection, and contain at least one Known Exploited Vulnerability (KEV). Researchers defined “high risk” as having a high likelihood and high impact of being exploited, based on a combination of risk factors such as end-of-life state, communication with insecure protocols, known vulnerabilities, weak or default passwords, PII or PHI data, consequence of failure, and several others.
“It’s important to understand the implications of any number higher than zero when measuring the risk associated with hyper-exposed assets used to control systems like the power grid or deliver life-saving patient care,” said Amir Preminger, VP of research for Claroty’s Team82. “Organizations must take a holistic approach to exposure management that focuses on the ticking time bombs in their environment, because even if they somehow mastered the impossible task of addressing every single 9.0+ CVSS vulnerability, they’d still miss nearly 40% of the most dangerous threats to their organization.”
CPS assets pose a high impact risk
23% of industrial OT and 22% of medical devices have vulnerabilities with CVSS v3.1 scores of 9.0 or higher, which would be an impossible number to patch. By recategorizing high-risk devices based upon other factors such as whether they are insecurely connected to the internet and contain vulnerabilities already exploited in the wild, we can identify devices and systems at highest risk of exploitation and significantly reduce the number and percentage of devices to be prioritized and mitigated.
1.6% of OT and IoMT are defined as “high risk,” have an insecure internet connection, and contain at least one KEV – the apex of exposure factors that together pose a real, imminent danger to organizations. This represents tens of thousands of high-risk CPS assets that can be accessed remotely by threat actors and contain vulnerabilities actively exploited in the wild.
Operating from a traditional vulnerability management approach creates a severe blind spot for organizations as to their true risk posture. The analysis shows that a combined 38% of the highest-risk OT and IoMT would be overlooked where CVSS v3.1 scores are the sole risk criteria. A traditional approach also leaves asset owners and operators faced with a challenging percentage of devices per organization in line for remediation. By focusing on the highest-risk exposures, organizations can reduce immediate risk as well as the time and resources required to remediate.
The KEV database demonstrates how attackers are much more likely to target known, older vulnerabilities rather than burn a zero-day exploit (although Google has reported 265 zero-day exploits since 2021).
According to Gartner, “Security leaders always look for improved frameworks and tools for reducing their cybersecurity risks. This includes a shift from a preventative-only approach to more mature, strategy-augmenting-preventative controls with detection and response capabilities. Previous approaches to managing the attack surface are no longer keeping up with digital velocity — in an age where organizations can’t fix everything, nor can they be completely sure what vulnerability remediation can be safely postponed. Continuous threat exposure management (CTEM) is a pragmatic and effective systemic approach to continuously refine priorities, walking the tightrope between those two impossible extremes.”
“Taking a vulnerability-focused view alone doesn’t help organizations focus on what matters most, leaving true exposures that can put safety and availability at risk,” said Grant Geyer, CPO at Claroty. “Reducing risk requires an evolution from a traditional vulnerability management program to a more focused and dynamic exposure management program that considers unique CPS asset characteristics and complexities, unique operational and environmental constraints, organizational risk tolerances, and desired outcomes of the CPS cyber risk program.”