A SCADAfence New Feature report

A large, robust Industrial Control Systems (ICS) network can contain tens of thousands of devices. Each of those devices may have any number of associated known CVEs (Common Vulnerabilities and Exposures). Do the math and what you’ll come up with is a terrifying mountain of possible vulnerabilities. What’s a CISO to do? How to prioritize the work of implementing all the patches needed to keep the OT network safe? The problem is exacerbated if the CISO has limited OT Security team members available. (Check out the 2022 State Of Operational Technology Report for more on that)

Analyzing all of these CVEs is time consuming and it will be tough to recognize which ones are most important to patch. As a result, OT cyber security teams may end up wasting valuable resources with very little benefit. 

Typically, CVEs are prioritized according to their CVSS score (Common Vulnerability Scoring System). Each CVE has a CVSS score, and it's possible for several CVEs to have the same, high, CVE score. Now, the question becomes – which asset to patch first? (Or to patch at all?)

Many OT security solutions focus on alerting to the largest number of CVEs they can, even at the cost of low accuracy. This may be a sign that an OT Security product is subpar. In fact, showing all possible CVEs for a particular device or vendor puts more burden on the customer to check them, even those that have little chance of causing harm to their network.

The answer to better CVE management for your ICS network is CVE Prioritization.

Advanced CVE Matching Means Fewer False Positives

Therefore, SCADAfence introduced an advanced CVE matching algorithm that accurately correlates CVEs to assets. Unlike traditional solutions, SCADAfence’ security experts are constantly analyzing new CVEs and refining the matching algorithm. Already-existing CVEs are synced with new CVEs, triggering re-calculation of the matching between all CVEs and assets. This achieves incredibly low false positive rates.

CVE matching algorithm - before and after analysis

Automatic CVE Prioritization

The SCADAfence Platform is now able to prioritize CVEs by correlating the asset’s criticality attributes and its CVE score. It does this with a two step process.

Step one uses SCADAfence’s advanced CVE matching algorithm as described above. 

Step two is using a proprietary algorithm, which includes the asset's criticality and its CVSS score, to indicate the risk level of each asset within the ICS environment. The result for the SCADAfence Platform’s users is an organized, prioritized roadmap for implementing patches and other fixes to their OT network.

The user can view and filter host CVEs based on their prioritization, or choose to override this prioritization value. CVEs can be accurately categorized as ASAP, Scheduled, or Defer in the CVEs section of the asset’s details. 

Summary of Benefits of CVE Prioritization

  • It helps you to optimize the process and costs of your organization’s patching efforts by gaining clearer insights into the true level of risk associated with each asset.
  • You get detailed information for each asset’s risk level, which is adapted to your specific environment.
  • Zero false positive rate in CVE matching between CVEs and vendors means you’ll spend less time sorting through unnecessary information.
  • Your organization’s CVE risk level is  automatically recalculated after all asset criticality updates or newly matched CVEs.
  • You will reduce risk and save time by by patching most insecure assets first

SCADAfence New Feature Reports is an occasional series of blogs exploring the many newly added features of the SCADAfence Platform in detail. For more information or to see SCADAfence in action, request a personalized demo.