The importance of cyber-physical systems (CPS) in critical infrastructure is clear. Utilities like water and wastewater, electricity generation, and gas are leveraging integrated technologies to blend the digital world with physical inputs for maximum efficiency. Overall, this is a good thing because doing so makes it easier to monitor usage and deliver on the core goal of a more effective public infrastructure. 

The problem with this growth in CPS usage is that exposing critical infrastructure technology to the Internet means that the attack surface has also expanded. Internet of Things (IoT) sensors used for remote monitoring could present the risk of intrusion from an opportunistic threat actor. 

As a result, exposure management is a critical need within cyber-physical systems. The expanding attack surface and resulting cyberattack risk make it necessary for security teams at utilities and municipalities to develop a comprehensive approach to managing exposure risk. 

What Is Exposure Management? 

Exposure management is the practice of identifying and either resolving or mitigating the risk of a cyberattack through a combination of patching vulnerabilities and deploying mitigation strategies such as network segmentation. Exposure management is a proactive approach that includes an analysis of discoverable assets like endpoints, cloud storage, IoT devices, and others for more effective risk assessment.

The idea behind exposure management is to better secure the organization against cyberattacks through a more cohesive understanding of which assets pose the biggest risk. In cyber-physical systems, exposure management involves extensive discovery of connected devices alongside understanding the expected behavior of each piece of equipment. The ultimate goal here is to assess the risk of cyberattacks on every IoT device and apply appropriate mitigations to reduce the possibility of an incident. 

Back in 2022, Gartner coined the term Continuous Threat Exposure Management (CTEM) to describe the solutions and practices that enable teams to manage cybersecurity exposures. Gartner® defines Continuous Threat Exposure Management as “a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure, and exploitability of an enterprise’s digital and physical assets.”

According to Gartner, “At any stage of maturity, a CTEM cycle must include five steps to be completed: scoping, discovery, prioritization, validation, and mobilization. Organizations building a CTEM program use tools to inventory and categorize assets and vulnerabilities, simulate or test attack scenarios, and other forms of posture assessment processes and technologies. It is important that a CTEM program has an effective and actionable path for infrastructure teams, system, and project owners to take action on findings.”

Why Exposure Management Matters in Cyber-Physical Systems 

Critical infrastructure organizations like wastewater plants often have limited resources dedicated to security. The classic patch management approach of resolving every possible vulnerability doesn’t really work when the organization in question doesn’t have the staffing or technical resources to do so. 

Exposure management is more effective for teams with limited resources because it adopts a risk-based approach to security. Understanding the real risk of an attack on any given system means that security leaders can apply the tightest security to the most critical assets.

This matters a lot in critical infrastructure, especially with the incidence of attacks against facilities like water and wastewater increasing over the past few years, and the limited spending that municipalities allocate to securing their systems. It’s not feasible to patch every vulnerability, nor does every vulnerability have a patch available for it, so there needs to be some other approach to securing critical systems. 

Exposure management fulfills that ask. As such, adopting it as a defensive strategy empowers a better security posture with fewer resources. 

Key Pieces of Effective Exposure Management 

As exposure management is more of a strategy than a specific technology, there are a number of key needs for the approach to succeed. This includes:

• Asset discovery: Critical infrastructure organizations need a solution that can discover assets connected to the network. This includes IoT sensors, which are key pieces of cyber-physical systems, as well as cloud and hybrid data storage. Knowing what’s connected to the network means that security teams can understand what needs to be protected. 
• Traffic monitoring: Monitoring the network traffic of cyber-physical systems can help security teams understand which IP addresses are being used for communication. Understanding traffic flows can also lead to tracking expected behavior to better detect anomalous communications. 
• Vulnerability identification: Part of exposure management is the ability to identify vulnerabilities in cyber-physical systems but, more accurately, to place those software and hardware vulnerabilities in context. Not every vulnerability is created equal, and segmented cyber-physical systems could be less at risk of a threat actor gaining a foothold and moving laterally if the specific device is deployed with minimal outside communication. 
• Attack pathway intelligence: Part of exposure management is understanding the real risk of a cyberattack on any given system. The ability to test out possible attack pathways and provide insight into how an attacker could progress using specific vulnerabilities can point to where best to apply mitigations. 

How Asimily Enables Exposure Management for Cyber-Physical Systems 

The Asimily platform is purposefully designed to enable exposure management strategies. Asimily passively scans network architecture for IoT devices and surfaces key details such as MAC address, model, firmware version, and any possible vulnerabilities. Asimily can also use non-passive means, such as correlating with other IoT databases, to build an asset inventory. Given the importance of IoT devices to cyber-physical systems, the ability of Asimily to surface key details is critical for effective exposure management.

Asimily can also identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from sources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, and NIST Guidelines. This helps emphasize the vulnerabilities with the greatest potential for exploitation, empowering security teams to secure cyber-physical systems more efficiently.

Asimily customers experience 10x more efficiency in risk reduction because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can be applied seamlessly through integrating with NACs, firewalls, or other network enforcement solutions.

The Asimily platform monitors for anomalous behavior by tracking network traffic to and from IoT devices for potentially malicious activity. Anomalous behavior detection ensures that connected equipment communicates only with authorized destinations, among many other policies that come with Asimily or augmented by customers. Tracking this behavior also assists with incident response, ensuring that security teams can analyze the right forensic data when they need it.

Security teams can also use Asimily’s Risk Simulator to test fixing hardware or software vulnerabilities before they apply the resolution. Simulating a fix can help determine criticality and whether attackers will even try to breach the system, which is critical information when deciding how to better defend cyber-physical systems.

With Asimily, critical infrastructure security teams can get better insight and apply more effective exposure management. This keeps defenses strong and ensures security teams are reducing the risk of a cyberattack in the most efficient way possible. 

To find out more about how Asimily can help improve your organization’s security posture, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.