A recent alert jointly issued by a myriad of governmental agencies including CISA, FBI, EPA, DOE, NSA and NCSC-UK has spotlighted activities by Russians targeting U.S. and European critical infrastructure. This underscores a troubling reality: Cybercriminals and nation-states are willing and able to cross any red line to accomplish their objectives.

The implications of the willingness of threat actors to target critical infrastructure has profound implications.  Every single water treatment facility, electric utility, manufacturing plant and office building — including military bases and hospitals — uses digital equipment to achieve important objectives. These connected devices are called cyber physical systems (CPS) and can gain insight into conditions or actuate changes in the physical world with tremendous advantages for society. However, the soft underbelly of this digital society is a digital risk, and we’ve seen cybercriminals and nation-states leverage the flaws in our digital lives to cause harm. Critical infrastructure operators need to reduce cyber risk.  We posit that we’ve been doing it all wrong for decades.

Vulnerability Management: A Sisyphean Task

The standard approach to vulnerability management is to leverage the Common Vulnerability Scoring System to prioritize vulnerability remediation. Organizations establish service-level agreements for their internal operations, customers and auditors to demonstrate standards for vulnerability remediation based on severity. Here’s the problem: The CVSS score is not a measure of risk, it’s a qualitative measurement of severity.  That’s not even up for debate – it’s explicitly stated on NIST’s National Vulnerability Database (NVD) webpage.

I’ll be provocative: patching based on CVSS severity is a fool’s errand. With over 260,000 unique vulnerabilities in the NVD, practitioners are remediating a myriad of vulnerabilities that aren’t reducing risk. Additionally, many risks aren’t classified as software vulnerabilities and therefore aren’t captured by the CVSS approach. These can span a variety of issues such as insecure protocols, use of default passwords, shared passwords, obsolescent credentials and cleartext communication.  Why exploit a vulnerability when you can walk through the front door with a default password?

 Applying Exposure Management to CPS Security

To effectively navigate these challenges, organizations should shift from Vulnerability to Exposure Management. Developed by Gartner, Exposure Management requires a more focused approach to mitigating risk, and includes scoping, discovering, prioritizing, validating and mobilizing phases. We think it’s critical to leverage this framework and apply it to the context of cyber-physical systems.

In asset-intensive enterprises, scoping should be focused on determining the assets that are essential for the execution of critical business processes, such as production lines.  In a dairy manufacturer’s environment, this could be the milk reception business process, which is a critical path for all downstream activities. By scoping based on business impact, security practitioners can dramatically reduce the denominator of assets that need to be continuously inspected for cyber risks.

Discovery focuses on achieving a robust asset inventory of devices in the scope of interest. What we’ve learned is that getting a detailed inventory requires a data-driven rubric of collection methods, with the ultimate goal of gaining sufficient detail to drive vulnerability prioritization efforts.  As the CPS security market has matured, organizations can benefit from newer collection methodologies like active queries and agent-based techniques that not only enable a more detailed inventory which is the foundation for effective risk reduction, it also enable practitioners to optimize for time-to-value and total cost of ownership.

While prioritizing risks takes vulnerabilities into account, it also expands the definition of risk to include misconfigurations and risky conditions – like default credentials. Enrichment with known exploits, exploit prediction scoring system and business impact assessments can both focus on the most consequential impacts to production, but also further narrow the effort to risks that are exploitable today.

While many exposures may exist, an attacker may not be able to exploit them. The ports may be closed, or a firewall may be blocking traffic from an at-risk system.  That’s why validating the attack path is an important step in focusing remediation efforts on the assets that are both high-risk and exposed.

We have to remember that many remediation activities are not in the purview of the security operations team. Therefore, mobilization is a critical step of the exposure management cycle to ensure integration into existing enterprise workflows to drive peer collaboration for activities like patching, changing passwords, or reconfiguring the infrastructure to eliminate risk.

The Real-World Implications of Exposure Management

A recent study analyzed over 10 million assets in a data lake. If an organization used traditional CVSS-based methods for prioritizing vulnerability remediation, 22% of the OT assets in our research would be deemed critical level severity. However, looking at the same data set when taking an exposure management-oriented approach, we found that only 1.3% of the whole population of assets were high risk, contained at least one known exploited vulnerability (KEV), and were connected insecurely to the Internet.  Even more intriguing, with a CVSS-focused approach you would miss remediation of 38% of the riskiest assets with KEVs – a clear security blind spot. When CVSS is the only factor in remediation, it’s the worst of both worlds: The illusion of security coupled with an extremely high effort.

Given the stakes – the security of critical infrastructure from threat actors – exposure management emerges as an approach for asset owners and operators. By proactively identifying and addressing vulnerabilities in CPS, exposure management can enhance efficiency while bolstering security defenses. It also represents a crucial advancement in safeguarding the nation’s critical infrastructure from evolving cyberthreats.

Exposure management is essential for critical infrastructure entities to implement because the cybersecurity landscape is incredibly dynamic, with an overwhelming number of exposures and threats emerging daily. A robust exposure management strategy systematically identifies and prioritizes risks to reduce the likelihood of a security breach in a way that is smart, efficient and focused.