38% of riskiest cyber-physical systems neglected, warns Claroty report
Cyber-physical systems (CPS) are at a high risk of cyber attacks, as a staggering 38% of the riskiest assets are overlooked by traditional vulnerability management practices, according to a recent report by Claroty, a leading CPS protection company. This knowledge gap leaves these high-risk CPS assets prone to exploitation by web-based attackers.
The report was prepared by the Claroty research group Team82, who thoroughly examined over 20 million pieces of operational technology (OT), highlighting the following key points:
- 20% of OT and IoMT (Internet of Medical Things) devices have CVSSv3.1 (Common Vulnerability Scoring System version 3.1) scores of 9.0 or above.
- 1.6% of these devices were deemed as "high risk," meaning they have an insecure internet connection and contain at least one Known Exploited Vulnerability (KEV).
- Shockingly, 38% of these ultra-high-risk OT and IoMT devices do not have a CVSS score of 9.0 or above. This means they are often unnoticed by traditional vulnerability management methods, making them ripe for exploitation by threat actors.
Amir Preminger, VP of research for Claroty's Team82, clarified: "Organisations must take a holistic approach to exposure management that focuses on the ticking time bombs in their environment, because even if they somehow mastered the impossible task of addressing every single 9.0+ CVSS vulnerability, they'd still miss nearly 40% of the most dangerous threats to their organisation."
To counteract this gaping oversight, Claroty has introduced a cutting-edge CPS-native exposure management solution. This innovative tool allows organisations to understand their existing CPS risk posture, utilise their resources most efficiently, and accelerate their journey towards CPS security maturity – irrespective of their starting point.
The CPS-native exposure management tool offers businesses the following key capabilities:
- Identification and profiling of all CPS assets using highly flexible discovery methods, attributing vulnerabilities, and monitoring for threats.
- Receiving actionable recommendations that prioritise remediation efforts based on quantified outcomes as defined by specific attack vectors and their likelihood of being exploited.
- Investigation of exploitability using VEX files and additional discovery tactics.
- Inclusion of CPS devices in exposure management programs using multi-data collection methods and tailored risk calculations to lay the foundation for network scoping.
- Streamlining of remediation and program mobilisation by integrating with leading IT/OT cybersecurity and asset management solutions.
"Reducing risk requires an evolution from a traditional vulnerability management program to a more focused and dynamic exposure management program," said Grant Geyer, chief product officer at Claroty. He further pointed out that this program considers unique CPS asset characteristics and complexities, unique operational and environmental constraints, organisational risk tolerances, and desired outcomes of the CPS cyber-risk program.