SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

How to implement exposure management in complex cyber-physical systems

Wed, 23rd Oct 2024

Digital transformation is accelerating across critical infrastructure sectors, creating more cyber-physical connectivity than ever before. While this connectivity has huge benefits, it has also drastically expanded the attack surface for cybercriminals looking to exploit potential weaknesses. Attacks on cyber-physical systems (CPS) have the potential to disrupt businesses and broader society. For example, attacks on the CPS used to control power grids, water treatment plants, healthcare services or even telecommunications networks have the potential to cause serious consequences for public safety.

To protect CPS against these threats, organisations need to be able to identify vulnerabilities, assess the potential impact on their operations if these vulnerabilities are exploited and, as much as possible, eliminate them. They also need to be prepared with an adequate response if they are exploited. In short, they need a quality exposure management strategy. But what is exposure management in the first place?

Exposure Management 101

An organisation's level of exposure is determined by the number, criticality and potential impact of vulnerabilities or weaknesses within their CPS environments, which are susceptible to attack by adversaries. As organisations face an ever-increasing attack surface due to digital transformation, it's becoming increasingly difficult to keep track of the many vulnerabilities in their environments. Each of these vulnerabilities offer entry points for unauthorised access, disruption of essential services, or other detrimental actions by attackers.

Consequently, it is crucial for organisations to adopt proactive exposure management policies involving the identification, evaluation, and mitigation of potential vulnerabilities and risks before they are exploited. The primary aim of exposure management is to diminish an organisation's exposure or attack surface by identifying vulnerabilities within their critical environment, thus reducing the risk of exploitation. Without exposure management, organisations will find it nearly impossible to maintain a strong cybersecurity posture, protect their critical systems, comply with regulations, and mitigate the potential impact of cyber threats. 

Key challenges of exposure management

CPS assets typically rely on proprietary protocols that make them inaccessible to IT security tools. With a lack of asset data, organisations will suffer from significant context gaps that hinder prioritisation and remediation decisions.

Furthermore, traditional security solutions developed for IT tend to prioritise vulnerabilities according to the Common Vulnerability Scoring System (CVSS) – a system that is only based on the severity of vulnerabilities as opposed to the likelihood of them being exploited. Severity does not always correlate with the likelihood of exploitation – therefore, the latter is a much better means of deciding how to allocate scarce cyber security resources.

To add to these challenges, it is often very difficult to patch CPS systems, given that these environments tend to have low or no tolerance for downtime due to the critical production processes they support. This requires all maintenance activity to be crammed into rare and very limited pre-allocated timeslots. 

Complying with various industry regulations and standards adds an additional layer of complexity to exposure management. Adhering to specific requirements that are often complex and subject to frequent updates can be a daunting task. Making matters more challenging is the fact that compliance failures may result in legal and regulatory consequences, as well as an increased risk of cyber threats.  

Strategies and Best Practices for Successful Exposure Management

Combating these issues and successfully implementing exposure management strategies requires a multifaceted approach.

The first step should always be asset discovery: gathering comprehensive details of every single asset connected to the network, including make, model, IP address and location. Without full-spectrum asset visibility, effective cybersecurity controls — including CPS vulnerability management — are impossible to implement. There are tools available that can automate this process and take out the heavy leg work. 

Once all assets are discovered, vulnerabilities in each one can be identified by cross-checking with the list of common vulnerabilities and exposures (CVE). This enables organisations to prioritise different vulnerabilities for mitigation according to the likelihood of exploitation and the likely impact on operations and the business should an attack occur. 

There is another problem: in a large installation, the identification and mitigation of vulnerabilities can create a significant management challenge. Overcoming this challenge will be made much easier if CPS exposure management can be integrated with an existing IT vulnerability system. A good CPS cybersecurity platform can provide this function, integrating with the configuration management database (CMDB), ticketing, orchestration and security information and event management (SIEM) tools.

The takeaway

As threat actors increase both the magnitude and complexity of their attacks, it is becoming increasingly vital for organisations of any scale to integrate exposure management into their security toolbox. The proactive strategies mentioned above enable organisations to tackle potential risks and vulnerabilities before they escalate into significant issues but also improve their capacity for making informed business choices and fortify their resilience against cyber threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X