1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Why OT security needs exposure management to break the cycle of e

    From TechnologyDaily@1337:1/100 to All on Wed Mar 26 08:00:07 2025
    Why OT security needs exposure management to break the cycle of endless patching

    Date:
    Wed, 26 Mar 2025 07:54:56 +0000

    Description:
    Traditional vulnerability management is preventing organizations from staying ahead of the curve and misses the real threats.

    FULL STORY ======================================================================

    Operational technology (OT) has long struggled with modern cybersecurity demands, but operators now face an increasingly dire cyber threat from nation-state actors. OT is essential for managing cyber-physical systems across fields, including manufacturing, transport, and energy, putting it in the sights of hostile actors backed by China, Russia, Iran, and more.

    Yet many OT environments are profoundly unprepared for the threat, often struggling with essential vulnerability management activity that should be a baseline to reliable security.

    OT security teams should consider a shift to a policy of exposure
    management, a smarter approach that prioritizes the most exploitable, high-risk vulnerabilities first. Organizations relying on OT must move to reduce operational strain while closing the gaps that leave their systems
    open to hostile state-backed actors. Why OT is a prime target for
    nation-state cyberattacks

    OT environments are prime targets for nation-state actors and cybercriminals attacking critical national infrastructure (CNI). Adversaries have a range of objectives, from stealing classified data and conducting corporate espionage to disrupting economic stability.

    In the last few years, multiple high-profile incidents have been linked to known threat groups. For example, Volt Typhoon and Salt Typhoon are two prolific groups linked to China that have conducted several attacks on U.S. infrastructure.

    Volt Typhoon has infiltrated critical infrastructure, including communications, energy, and water, and is known for using stealthy, low-and-slow tactics to exploit native tools and systems. Salt Typhoon, meanwhile, is believed to be involved in exfiltrating data from ISPs for use by Chinese intelligence operations.

    Sandworm, closely linked to Russias military intelligence, is another long-running APT targeting critical infrastructure. The group is believed to be behind several attacks on Ukraines power grid over the last decade, creating the Industroyer and Industroyer 2 malware designed for industrial equipment using specific protocols. Sandworm also unleashed the notorious NotPetya ransomware.

    Iran has also proven itself to be a major player in international cyberattacks. The CyberAv3ngers group has attacked U.S. water facilities
    using compromised PLCs and HMIs. The group has also targeted civilian infrastructure with IOCONTROL, a Linux -based backdoor designed for multiple standard OT control systems.

    While high-level APTs like these have the resources and expertise for
    advanced tools and tactics, many OT attacks begin with unsecured devices connected to the internet, providing a clear attack path to establish footholds in critical systems.

    After assessing nearly one million OT devices across 270 organizations in multiple fields, we found persistent evidence of malware in OT systems.
    Sample companies in manufacturing, natural resources, and logistics and transportation all had more than 10% of their OT devices communicating with malicious domains. The problem with traditional vulnerability management

    Vulnerability management is a persistent issue across most sectors but can be particularly difficult when dealing with OT environments. In addition to the large and continuously increasing number of vulnerabilities to address, OT security teams must also deal with complex networks that include many disparate assets, often using their own proprietary operating systems. OT assets are seldom compatible with scanning and IT management tools designed for standard IT networks.

    As a result, teams often struggle to implement the prioritized, ordered approach to vulnerabilities needed to keep ahead of hostile attacks.

    Of the 270 organizations we assessed, 70% had at least one known exploitable vulnerability (KEV) in their OT systems. Twelve percent of the nearly one million devices included in the study contained a KEV that had yet to be patched. Worse, 40% of organizations have OT assets insecurely connected to the internet, creating a direct pathway for cyberattacks.

    Security teams are often stuck pursuing slow and inefficient patch management programs that lack clear direction. Prioritization is usually based extensively on CVSS scores, which fail to consider the context within the company and, thus, the vulnerability's real-world exploitability and impact. More dangerous vulnerabilities may be overlooked while less important issues drain resources. The case for exposure management

    Dealing with vulnerable OT assets requires a more dynamic approach, prioritized by the real risk to the organization and its infrastructure. Exposure management has emerged as one of the most effective strategies, enabling teams to identify and focus on vulnerabilities with the most significant potential for real-world exploitation.

    Exposure management weighs priorities based on multiple risk factors, including identifying which KEVs are actively exploited in the wild and whether assets are affected by insecure remote access or misconfigurations that increase risk. The assessment also considers a device's criticality to business operations, for example, prioritizing those that would disrupt production or cause safety issues in the event of a breach.

    The result is a drastically reduced and more focused to-do list for security teams. For example, our research found roughly 111,000 devices with KEVS. But filtering the list by vulnerabilities linked to ransomware and devices with insecure connectivity immediately reduces the total number to 3,800.
    Suddenly, the task has shrunk by a factor of 30, even before applying more context for specific organizations. How to start implementing exposure management in OT security

    Exposure management follows a five-step process to identify, assess and resolve OT vulnerabilities.

    1. Scoping

    The first step is identifying those OT assets most critical to operations, such as production lines in manufacturing or scheduling control systems in maritime transport. This is especially important for asset-intensive
    companies with a large volume of devices to manage. The aim is to reduce the number of assets that need continuous security inspection.

    2. Discovery

    Next, this initial list of assets is built into a detailed inventory,
    focusing on the highest-risk devices. This needs to be a highly data-driven method, while more extensive and complex operations will need an automated approach to make discovery manageable.

    3. Prioritization

    The high-risk inventory can now be prioritized based on severity. As discussed, this process needs to move beyond basic CVSS scores to consider
    the actual risk posed by KEVs, the assets connectivity status, and the potential impact of a breach. Exploit prediction scoring and business impact assessments provide more data points to inform these decisions.

    4. Validation

    Before taking any action, its crucial to ensure vulnerabilities are exploitable and not blocked by elements like closed ports or firewalls. This avoids wasting resources on patching vulnerabilities that look severe on
    paper but are low risk in reality.

    5. Mobilization

    With all that preparation done, its time to get moving. Its best to integrate exposure management into existing security workflows like patching and access control wherever possible to keep things efficient. Organizations should also look to establish cross-team collaboration between IT, security, and operations, as OT often becomes heavily siloed from standard IT practices. Hardening OT against advanced adversaries

    Traditional vulnerability management is failing OT security teams by focusing on attempting to patch everything rather than addressing real threats. In the face of increasingly aggressive state-backed actors, this inefficient
    approach leaves critical infrastructure vulnerable to severe security incidents.

    Identifying and prioritizing high-risk vulnerabilities through an exposure management approach will enable these organizations to manage vulnerabilities quickly and efficiently, drastically improving defenses against nation-state threats, ransomware, and cybercriminals.

    We feature the best network monitoring tool .

    This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro



    ======================================================================
    Link to news story: https://www.techradar.com/pro/why-ot-security-needs-exposure-management-to-bre ak-the-cycle-of-endless-patching


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)