Ocepek: Visibility is key. Understanding where the vulnerabilities exist, and which ones are most important to remediate first is critical. If it’s too risky to patch, there are compensating countermeasures that can be effective; for example, segmenting the vulnerable device from the rest of the network or creating alerts in SIEM [security information and event management] and other detection tools so that they can rapidly detect an attack against the device. Whichever route organizations prefer to take, it’s important to note that doing nothing shouldn’t be an option. In most cases, there is a way to minimize the risk of a compromise.

Edwards: That’s a good point. For a long time, OT teams have said, ‘I can’t patch, so I don’t need to know if I am vulnerable.’ Boards are now holding security leaders accountable for knowing and proving they have reduced the number of critical vulnerabilities in their environment. It’s not acceptable to not know. So, if they can’t fix a vulnerability, it should still be on their risk register as something that should be mitigated.

An important first step is to gain visibility about your asset inventory. Know what you have, because you can’t protect what you can’t see. The most common question I receive from CISOs is, ‘How do I know what I have for OT?’ Start with the fundamentals. Create a solid asset inventory, and don’t make it a point-in-time exercise. It’s important to continuously analyze networks for which devices are presently connected to them and their protocols. Then, cross-reference those devices with known vulnerabilities, which are typically in the National Vulnerability Database.

Also, use detection technologies to see if new devices are being added to the network and look for ports that shouldn’t be there. Lastly, monitor the configuration of devices. Are people making changes to the logic that is running in certain devices? If so, were those changes approved, or is it a disgruntled employee making the change?

