‘15CFAM’ is No FUN When Vulnerabilities Aren’t Managed

Welcome back to our next installment of ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM), as WaterISAC continues its complement to National Cybersecurity Awareness Month (NCSAM). We hope you were challenged a little by our last 15CFAM on Consequence-driven Cyber-informed Engineering (CCE), but as promised we are back to a more broadly practical fundamental on vulnerability management. Vulnerabilities represent a significant portion of our organizational attack surface. Vulnerabilities are present everywhere – hardware, software, firmware, configurations, supply chains, and staff practices. Next to segmentation and access controls, vulnerabilities could be the facet of our cybersecurity strategy we have the most control over.

Vulnerability management is part of the core of every cybersecurity program, so don’t let its appearance at #7 (Embrace Vulnerability Management) in the WaterISAC 15 Cybersecurity Fundamentals for Water and Wastewater Utilities fool you. Largely informed by asset inventory and risk assessments, vulnerability management involves the need to identify and remediate cybersecurity gaps and vulnerabilities before the bad guys exploit them – an absolute necessity for every organization. Vulnerability management typically begins with things like patching and antivirus. However, effectively managing vulnerabilities requires a holistic program to address situations where patching and antivirus are not effective – or even possible – such as with end-of-life control system components.

Once vulnerabilities have been identified and prioritized, they must be remediated, mitigated, or accepted. In instances where patches are not or cannot be applied, vulnerabilities should be mitigated through compensating security control methods such as “hardening” to remove unnecessary services and applications, replacing devices when they are no longer supported by the vendor, enforcing policies and procedures, and providing cybersecurity awareness and technical training. As previously stated, sometimes remediation or mitigation are not practical, effective, or even possible in some situations. However, all vulnerabilities must be addressed, even if that means only documenting and accepting the risk and the reason why it is unable to be corrected.

The aforementioned fundamentals guide has many good resources to help utilities embrace vulnerability management. But in the spirit of providing additional resources not in the current version of the guide, we have been following and often reporting on vulnerability management posts from OT cybersecurity firm, Verve Industrial. We encourage you to search “Verve” in the WaterISAC Resource Center for prior posts, keep an eye out for future posts, or check out the Verve blog for even more!