Another Vulnerability…. Who cares?

In my opinion, when it comes to vulnerability management in operational environments, less is more. Specifically what I am referring to, as it appears to be the primary focus of what constitutes most vulnerability management, is CVE-chasing. From the many engagements that I have with OT organisations, this seems to be both one of the top priorities for the OT cyber team and the primary cyber risk management practice. 

Doing less vulnerability management may sound counterintuitive. To a certain degree, it conflicts with the recent guidance on vulnerability management from the NCSC. So, I had better explain… 

Obviously, I am not talking about all vulnerabilities. Vulnerabilities that result from a lack of configuration management, policy enforcement, or general cyber hygiene are certainly good candidates for action. For example, the recent compromise of multiple Unitronics PLCs and HMIs in water facilities, allegedly by an Iran-linked hacktivist group calling itself Cyber Av3ngers, exploited internet-connected devices relying on default passwords and with no authentication. This type of vulnerability is critical: it must be identified and remediated (although, such an obvious vulnerability should not have been present in the first place). I am also not referring to ‘big ticket’ CVE vulnerabilities like Log4J, these rightly occupy a top spot on the cyber risk register until they are mitigated. 

What I am talking about is that never-ending supply of CVEs which relate to software or application configuration flaws. These are commonplace in IT and even more so in OT. From my experience, many OT organisations go to great efforts, or aspire to have the capability to; identify, analyse, and remediate these types of vulnerabilities. So much so, in fact, that to them, visibility and mitigation of CVEs has become synonymous with vulnerability management or, even more worryingly, risk management.

Fixations and Vexations

Where does the fixation on CVE-chasing come from? Why are so many OT organisations vexed with it? I see two major contributors: vendor marketeers and IT security teams. 

Cyber Vendors

Marketing based on Fear, Uncertainty, and Doubt (FUD) is certainly nothing new in cybersecurity. However, it has given rise to a particular trend that has become the norm in OT cyber. OT cyber-vendor companies dedicate a lot of time and money interrogating bits of industrial kit to find new vulnerabilities, enabling them to force CVE disclosures from the OEM, attributed to the vendor’s research team, enabling them to publish new articles with the same proclamation: ‘New critical vulnerabilities found in [something you use]…. This is bad…. You’ll be hacked….’ And the point of it all: 

To be secure, you must invest in our product!

This persistent content paints an inflammatory picture. It aims to create a legitimate urgency, but it’s not justified. The reality is that many, even most, of these discovered vulnerabilities have no history of exploitation in the real world, very little possibility of exploitation in the future, and are not the easy targets or ‘low hanging fruit’ that we see in the vast majority of OT cyber attacks.

IT Security Teams

The other major driver for CVE-chasing is behaviours inherited from or, in some cases, instructed by IT Security Teams. In the IT world, ‘update as soon as possible’ is considered a best practice, and rightly so. IT systems are easy to update and generally already have a number of security controls in place, so maintaining security posture is often about minimising vulnerabilities and exposures as quickly as possible. However, when this best practice is applied to OT, it often serves as a distraction and even a hindrance to reducing actual OT cyber risk in the long term. 

How so? Surely reducing vulnerabilities in critical OT systems is a good thing and should always be encouraged. Not exactly. There are some significant challenges to this approach. In fact, the entire practice of OT vulnerability management is quite different, and significantly more complex, than the IT centric approach. 

First, there is the complex process of qualification – the questions that must be answered to work out what to do and when. Do we actually operate any of the affected devices? If so, how many and where are they? Have these vulnerabilities been exploited in the wild? Are these vulnerabilities easily exploitable within our network? Could the process of patching or updating introduce an unacceptable operational risk? Is it possible or practical to remediate? It’s this last question that takes the most time and, in many cases, the answer is, no. 

Additionally, new vulnerabilities must be assessed within the context of the wider vulnerability position. Many operational environments continue to run out-of-date operating systems. In such cases, critical vulnerabilities associated with obsolete-but-still-functioning devices cannot be addressed. So a new vulnerability with a high CVSS score might get a lot of attention, but when you relate that to the hundreds, or even thousands, of CVEs which you live with in your environment, the additional risk they represent is likely negligible. 

Another depressing reality is that even with focus and investment many OT teams are unlikely to make a meaningful impact on their overall CVE remediation backlog. Despite the relatively static nature of OT systems, vulnerabilities will continue to be created and discovered at a rate beyond their ability to be remediated. OT components are, unfortunately, insecure by design and will be so for the foreseeable future. So, bug bounty chasers, malicious actors, OEMs, and researchers will continue to find numerous flaws that can be exploited. Compounding this, component lifecycle times indicate that your OT systems will likely reach end-of-life or become unsupported during their operational lifetimes, meaning even more vulnerabilities with no patch possibilities. 

As we are all well aware, OT cyber teams have finite resources and investment. The real issue with vulnerability management isn’t only that it will feel like you’re banging your head against a brick wall. It’s that it creates a significant distraction of skilled resources from major OT cyber programme projects that beneficially introduce compensating controls and risk mitigations. The activities that really turn the dial on your risk posture. 

Solving the Vulnerability Conundrum

Enough about the problem. Let’s discuss a solution or at least some alternative ways to approach this complex issue. 

First, there is no getting away from the qualification process for new vulnerabilities: Do we have it? Has it been exploited? These are important questions, but in many cases the process needs to be simplified and streamlined. The question that needs to be asked early is: ‘Can I justify diverting resources from our risk reduction mission for this vulnerability?’. More CVEs will ultimately end up in the ‘accepted’ category. 

This leads to the next important recommendation: OT risk leaders need to be more comfortable accepting and tolerating new CVEs; they must approach risk management with the mindset that ‘everything is vulnerable’. That latest CVE probably hasn’t turned the risk dial as much as you might expect and, just because you have a device with a registered CVE in the National Vulnerability Database, doesn’t mean that component is not just as vulnerable to some clever exploit as the next device in the network. 

Accepting that new vulnerabilities might increase your risk level, albeit not always significantly, and not doing much about them may seem counterintuitive. However, focusing resources on advancing real positive security change, rather than on vulnerability firefighting, will pay dividends in the long run. In line with all leading guidance, running risk assessments to identify real risks and then prioritising and implementing new controls and enforcing policy into an environment – such as deploying segmentation or a secure remote access solution or enforcing user access privileges – will significantly turn the dial down on your risk posture.

Freeing up your finite, skilled resources to focus on principles like implementing defence in depth strategies and employing a defensible architecture will lead to greater success over time and move your OT programme closer and faster to your objectives.