If you have tackled vulnerability management in OT, chances are you ended up in frustration. It is virtually impossible to keep up with the constant stream of new vulnerabilities. Why? Because in OT, we are faced with a huge cost for installing security patches and firmware updates. In the vast majority of scenarios, you can’t simply patch or update automatically, because patches must be tested, and systems cannot be taken offline and rebooted like in IT.
The bottom line is that for the average OT asset owner, known vulnerabilities just keep mounting.
Prioritization is key
The best practice to deal with this state of affairs is prioritization. If you have no chance to mitigate all vulnerabilities, why not at least try to fix the worst ones? There are various angles how you can approach this. CVE severity, network exposure, and device criticality are all good criteria when furnishing your prioritization strategy, and they have been discussed at length in a talk at the S4 conference.
Now here’s the bad news. Network exposure and device criticality are difficult to measure and therefore rarely used. CVE severity is different because it already comes with the CVE. Therefore, most asset owners revert to only consider critical CVEs. Not a good idea because in OT, you CAN have CVEs with a base score of 10 that are not rated as critical. If there only was a simple fix for this!
And actually there is! Enter exploitability, meaning how easy or difficult it is to use a given vulnerability in an attack. When it comes to exploitability, not all CVEs are equal. CVEs that have already been exploited pose a far bigger risk, because potential attackers don’t need to implement exploit code on their own. They can simply reuse existing code that can often be found on the Internet, or on the Dark Web. Therefore, your known exploited vulnerabilities pose a higher risk than others. Why not use this to our advantage?
Known Exploited Vulnerabilities to the rescue
If we exclude all the CVEs from our scope for which no known exploits exist, the result set that we have to deal with becomes much smaller. And here’s the best thing: Technically this is easy now since CISA publishes so-called KEVs, or Known Exploited Vulnerabilities, for download. Today, exploitability is just another easy to grab data point as CVE severity.
In the OT-BASE OT Asset Management software, we download KEV data automatically from CISA and match it against your installed base. The result is absolutely striking. Check out the video to see how.