Today, it has become imperative that security leaders embrace risk-based vulnerability management (RBVM). With gaps between disclosed, patched, and exploited vulnerabilities continuing to widen, RBVM is truly integral to combating cyber threats — and this is especially true for organizations in critical infrastructure sectors. The operational technology (OT) assets, internet of medical things (IoMT) devices, and other cyber-physical systems (CPS) that underpin these industrial and healthcare organizations’ operations tend to be uniquely prone to not only having vulnerabilities — but also to being targeted by malicious actors eager to weaponize those vulnerabilities.
Being equipped with optimal risk assessment and vulnerability prioritization capabilities as part of a comprehensive RBVM strategy can empower security leaders to better protect their CPS amid these challenging conditions. Throughout the remainder of this blog, we will examine these and other key components of RBVM and how organizations can utilize them to tackle the most pressing CPS security challenges today.
What is Risk-Based Vulnerability Management?
Risk-based vulnerability management is a set of cybersecurity processes that aim to reduce an organization's attack surface by prioritizing the remediation of vulnerabilities based on their risk, which reflects: 1) how likely the vulnerability is to be exploited, and 2) if exploited, what the impact would likely be. As such, an effective RBVM strategy goes beyond just discovering or patching vulnerabilities — it helps you understand the risks they pose in the context of your organization and how to most efficiently and effectively allocate your resources to minimize exposure to those risks.
This strong emphasis on risk is, unsurprisingly, what distinguishes RBVM from traditional approaches to vulnerability management — most of which are guided by a variable that is distinctly different from (yet is often conflated with) risk: severity. The culprit stems from the standards with which common vulnerabilities and exposures, or CVEs, are evaluated as part of their disclosure process.
Specifically, the Common Vulnerability Scoring System (CVSS). CVSS is a way to evaluate and rank reported vulnerabilities in a standard and repeatable way via a numerical score reflecting their severity. This numerical score is commonly translated into a qualitative representation (such as low, medium, high, and critical) to help organizations provide a point of comparison between vulnerabilities, and to properly prioritize remediation of vulnerabilities. The use of CVSS scores is seen as the go-to method for organizations world-wide due to its assistance in determining which vulnerabilities to remediate first. However, CVSS is not the only tool needed for successful vulnerability management. As organizations continue to utilize manual, time consuming processes for vulnerability management or do nothing at all, they are faced with the following challenges:
Common Challenges with Risk-Based Vulnerability Management
- CPS Visibility is often Minimal: CPS assets use proprietary protocols that are largely invisible to standard security tools. If you can’t identify a device, you can’t assess — much less manage — its vulnerabilities and risks.
- Context Gaps Hinder Prioritization: Finding a vulnerability isn’t enough. You also need to assess the affected asset’s context and potential impact on your operations to prioritize and remediate the risk.
- Conventional wisdom is at odds with the reality of managing CPS vulnerabilities: Nearly 70% of CPS vulnerabilities disclosed in 2022 received a CVSS v3 severity score of “high” or “critical,” yet less than 8% have been exploited. This discrepancy raises concerns about the conventional wisdom and solutions that recommend prioritizing remediation based on CVSS scores. Security teams following this recommendation are often not only overwhelmed; they may also be misdirecting resources towards vulnerabilities that are unlikely to be exploited, while overlooking those that are.
- Standard Vulnerability Scanners are Unsafe: CPS environments and the assets that underpin them are uniquely fragile and cannot tolerate the traffic generated by standard vulnerability scanners.
- Patching is Rarely Permitted: Most CPS environments have no tolerance for downtime, so maintenance windows — and, as a result, patching — occur rarely, no matter the vulnerability or risk.
Read the article in full here.
Sign up today for a free Essential Membership to Automation Alley to keep your finger on the pulse of digital transformation in Michigan and beyond.
