Claroty, the cyber-physical systems (CPS) protection company, released new proprietary data revealing that 38% of the riskiest CPS assets are overlooked by traditional approaches to vulnerability management, illuminating a major blind spot that is ripe for exploitation by threat actors. To address this blind spot, Claroty is introducing a complete built-for-purpose CPS exposure management solution, empowering organisations to minimise their attack surface by prioritising the most immediate threats.
To understand the scope of exposure and the associated risk facing CPS environments, Claroty’s award-winning research group Team82 analysed data from over 20 million operational technology (OT), connected medical devices (IoMT), IoT, and IT assets in CPS environments. The research focused on assets that are defined as “high risk,” have an insecure internet connection, and contain at least one Known Exploited Vulnerability (KEV). Researchers defined “high risk” as having a high likelihood and high impact of being exploited, based on a combination of risk factors such as end-of-life state, communication with insecure protocols, known vulnerabilities, weak or default passwords, PII or PHI data, consequence of failure, and several others.
Key findings include:
- 20% of OT and IoMT have CVSSv3.1 scores of 9.0 or above – a metric representing the traditional approach to vulnerability management, relying solely on the Common Vulnerability Scoring System version 3.1.[1] This volume is too overwhelming and resource-intensive for most organisations to realistically address, especially on CPS assets with limited windows for patching, and provides no indication of where to start remediation efforts.
- 1.6% of OT and IoMT are defined as “high risk,” have an insecure internet connection, and contain at least one KEV – the apex of exposure factors that together pose a real, imminent danger to organisations. This represents tens of thousands of high-risk CPS assets that can be accessed remotely by threat actors and contain vulnerabilities actively exploited in the wild.
- Of these ultra-high-risk OT and IoMT devices, 38% do not have a CVSS score of 9.0 or above – meaning they go unnoticed by traditional vulnerability management methods, yet are alarmingly ripe for exploitation by threat actors, signifying a high risk blind spot for organisations.
“It’s important to understand the implications of any number higher than zero when measuring the risk associated with hyper-exposed assets used to control systems like the power grid or deliver life-saving patient care,” said Amir Preminger, vice president of research for Claroty’s Team82. “Organisations must take a holistic approach to exposure management that focuses on the ticking time bombs in their environment, because even if they somehow mastered the impossible task of addressing every single 9.0+ CVSS vulnerability, they’d still miss nearly 40% of the most dangerous threats to their organisation.”
Learn more about Team82’s findings in “The CPS Blind Spot” report.