Vulnerability management of cyber-physical systems (CPS) is one of the most frustrating challenges for enterprise security and networking teams, whose CPS protection efforts are often hampered on several fronts:
Visibility of CPS assets can be difficult because of fragmentation among operational technology (OT), internet of things (IoT), and medical device manufacturers (MDMs) that have failed to standardize on how CPS assets are identified.
Patching is a perpetual barrier. Healthcare CISOs, for example, must often rely on compensating controls to mitigate security vulnerabilities while MDMs and the U.S. Food and Drug Administration (FDA) spar over which is responsible for the validation of cybersecurity-related changes made to devices. Similarly on the OT side, many original equipment manufacturers (OEMs) require that control systems and other connected assets run only at certain patch levels.
Related to patching, scheduled downtime is also a complex equation to solve for many organizations hesitant to update legacy—and often unsupported—systems for fear of disrupting or damaging physical OT processes or impeding patient care on the healthcare side.
The race to connect more CPS assets to the internet, however, will continue unabated; there are too many valid business-impact reasons around connectivity to assume otherwise. CISOs, meanwhile, must find a way to wrestle this problem in a manner that does not negatively impact the bottom line while keeping these mission critical environments safe from a growing array of hackers targeting CPS.
CPS Vulnerabilities in the Context of Exposures
As long as humans write programming code, there will be software and firmware vulnerabilities. Programming flaws, however, are only one aspect of exposures that put CPS at risk, and it’s critical that CISOs look at CPS protection in the context of exposure management. Some common vulnerabilities in this light include:
Risks from Legacy Technology
OT and healthcare environments are rife with legacy technology. It’s not uncommon to see Windows 7 machines chugging along in hospitals as an interface to imaging systems and patient monitoring devices. These systems work and are often enormously expensive to replace, therefore many healthcare delivery organizations accept the associated risks with using outdated technology.
Legacy systems, however, are a threat to patient care; end-of-life assets that are no longer supported with security and feature updates can be easily exploited with commodity attacks readily available in the wild. Much of the same is true for OT environments, and quite possibly at a larger scale. OT assets were manufactured to last for decades in production and many were designed before online connectivity was a consideration. Yet legacy OT systems may contain vulnerabilities that are only surfacing as these assets are connected online.
Exposed CPS Assets Can Carry Huge Risks
Internet-facing CPS assets are the most exposed and attractive targets for threat actors.
Often, CPS devices are not securely added to the public network, and attackers using internet-scanning services that map the IPv4 address range can enumerate exposed assets and services.
Compounding the problem are legacy communication protocols such as Modbus that lack basic security features such as authentication and encryption by default. These insecure design choices come from a time when OT assets were manufactured to operate within trusted, air-gapped deployments. An attacker can use a scanning service to narrow searches to specific exposed technologies and access them at scale, often without the need for a vulnerability or malicious code.
Other insecure remote access protocols such as virtual network computing (VNC) are also often problematic. An attacker can also enumerate devices that enable VNC clients without authentication and leverage these exposures to access assets and either move laterally onto the enterprise network or disrupt processes.
Reducing the Impact of CPS Vulnerabilities and Exposures
Address Exposures of Most Critical Assets
Asset inventories are the key first step to reducing exposures; without adequate visibility, assets cannot be prioritized for mitigation and remediation of exposures. Once visibility is established, an organization should prioritize assets according to their business impact and expedite remediation efforts. Redefine vulnerability management in the context of exposures, with the riskiest being known exploited vulnerabilities.
The Cybersecurity Infrastructure and Security Agency (CISA) maintains the Known Exploited Vulnerability (KEV) catalog, which is an invaluable resource for security organizations. It lists vulnerabilities that have been confirmed to have been exploited publicly, and includes details on the vulnerability, the affected software, and the required action, including whether it is associated with ransomware. The list is importable into security tools and should be used to correlate KEVs with prioritized assets.
Segmentation and Isolation of CPS Assets
Virtually segmenting network zones creates areas of isolation for sensitive assets that reduce the attack surface of these devices and allows for better management of traffic flows.
This is critical to ensure resilience of CPS environments; should one segment be compromised, security and network teams have a leg-up in isolating the attack and preventing it from spreading elsewhere on the network. This enables a measure of uptime guarantees without impacting the rest of the network.
It also helps organizations enforce access policies and enforce zero-trust implementations by allowing for more granular control over assets and traffic.
Secure Remote Access to CPS
Remote workers, partners, and suppliers are also reaping the benefits of bringing CPS online. Employees can log in from anywhere and check on asset status, reconfigure assets as processes changes emerge, or remotely engage with imaging systems to improve diagnostic capabilities.
Traditional remote access technologies such as virtual private networks (VPNs) don’t include the auditing and remote control of sessions required within industrial or healthcare settings to adequately protect CPS assets in these environments.
Successful organizations start with zero-trust models and a “never-trust, always verify” approach that applies stringent controls and requirements around identity and policy to provide access to key assets.
Hand-in-hand with zero trust comes privileged access management, which ensures that only authorized administrators can access and make changes to critical assets. Access can also be configured according to roles, and be time-limited or have other requirements or restrictions as detailed by policy.
Claroty’s CPS Exposure Management
Claroty has aligned its exposure management offerings with Gartner’s five steps of Continuous Threat Exposure Management cycle: scoping, discovery, prioritizing, validating, and mobilization.
Scoping involves making a determination of the assets that are essential to core business processes; focusing on these assets reduces the overall number of devices that must be prioritized.
Discovery is a complete asset inventory that drives vulnerability and exposure prioritization.
Prioritizing also includes insecure configurations and conditions such as default credentials. KEVs and business impact assessments enrich this process.
Validating examines exposures and whether they are exploitable, and which remediations such as compensating controls or patches are available to mitigate threats.
Mobilization ensures that exposure management is integrated into security workflows and applauds collaboration that eliminates risk.
The Claroty Platform delivers exposure management as part of a single industry-leading solution, that also combines asset inventory, network segmentation, and secure remote access functionality.
With deep asset visibility and protocol knowledge, the Claroty Platform also seamlessly integrates with existing security operations center (SOC) tools, enabling your organization to confidently and effectively monitor and manage all threat alerts.
The platform also provides unmatched visibility into network reference models such as the Purdue Model, ensuring organizations are cyber and operationally resilient.
Learn more about the platform by scheduling a demo with one of our experts.
