Traditional approaches to vulnerability management result in a narrow focus of the enterprise attack surface area that overlooks a considerable amount of risk, according to Claroty.
Organizations must take a holistic approach to exposure management
To understand the scope of exposure and the associated risk facing cyber-physical systems (CPS) environments, Claroty’s research group Team82 analyzed data from over 20 million operational technology (OT), connected medical devices (IoMT), IoT, and IT assets in CPS environments.
The research focused on assets that are defined as “high risk,” have an insecure internet connection, and contain at least one Known Exploited Vulnerability (KEV). Researchers defined “high risk” as having a high likelihood and high impact of being exploited, based on a combination of risk factors such as end-of-life state, communication with insecure protocols, known vulnerabilities, weak or default passwords, PII or PHI data, consequence of failure, and several others.
“It’s important to understand the implications of any number higher than zero when measuring the risk associated with hyper-exposed assets used to control systems…
