Industrial control system operators have a lot to worry about, but known vulnerabilities in their OT systems get more attention than they deserve.
“There have been zero known ICS vulnerabilities ever leveraged in any ICS cyberattack,” Robert M. Lee, CEO and co-founder at Dragos said Thursday during an executive briefing on critical infrastructure security hosted by Dragos.
The cyberthreats confronting ICS are vast and distinct. One way to cut through the risk: Prioritize resources and efforts in line with the most likely points of attack or failure.
“I’m not saying vulnerabilities don’t matter. I’m just saying we put it as the No. 1 thing when it’s probably not in the top four in terms of what we need to do,” Lee said.
“There's so much pressure on asset owners and operators to always be patching, and I have responded to more IT people taking down plants through patching than Russia, China and Iran combined,” Lee said. “I just want us to be careful of the risk.”
When the ICS and OT security software vendor’s threat intelligence team looks at vulnerabilities, it ascertains their potential impact to industrial organizations based on two queries:
- Has it been used in an attack?
- Could the vulnerability be used in an attack that might cause serious damage?
Any vulnerability that meets one of those factors gets placed in the “you should take care of this now category,” Lee said. “And only 4% rise to the level of, you should do it now.”
The remaining vulnerabilities are almost evenly split between those that might be used for an attack but have negligible impact and those that bear no relevance to ICS or industrial OT, according to Lee.
Vulnerabilities have a correlation to legacy equipment and software, another common target for misplaced priorities in industrial OT.
“There's this idea that if we didn't have legacy equipment that we wouldn't have the risk, and that's not how the industrial attacks actually happen,” Lee said. "It's not a let's rip and replace as if everything could be magically better.”