Vulnerability management has become one of the major challenges in industrial cybersecurity. The volume of CVEs (Common Vulnerabilities and Exposures) published grows every year and accelerates as we incorporate more technology into our processes and operations. And here lies the real problem: in OT/ICS environments, applying patches systematically is not always possible, nor is it often advisable.
The Cyber Alerts Report – II from the Industrial Cybersecurity Observatory of AMTEGA addresses precisely this issue: how to prioritise vulnerabilities in industrial environments when resources are limited, maintenance windows are tight and the continuity of the process cannot be put at risk.
From a cybersecurity perspective, one of the report’s main conclusions is clear: technical severity cannot be the only decision criterion. In OT, vulnerability management must be based on the real risk to the organisation, combining technical information, operational context, exposure and potential impact on the industrial process.
OT risks are not the same as IT risks
Although the general principles of cybersecurity are common to both worlds, industrial environments present very different constraints from those of corporate IT. In IT, the priority tends to be the protection of information: data, digital services, identities or corporate systems. In OT, on the other hand, the priority is to ensure that operations remain safe, stable and available.
This completely changes the way decisions are made. A vulnerability with a high score may not be urgent if it affects an isolated asset with no real exposure. Conversely, an apparently less critical vulnerability can become a priority if it affects the availability of the plant, the safety of plant operators or even potential environmental impact.
For this reason, the question should not only be “what is its CVSS score?”, but also: where is it deployed? Is it exposed? Does it affect a critical asset? Is there active exploitation? The urgency is not in patching everything as quickly as possible, but in managing the risk to the process.
CVSS is useful, but insufficient
The report does not dismiss CVSS (Common Vulnerability Scoring System). On the contrary, it recognises it as a necessary reference for measuring the technical severity of a vulnerability. The problem arises when it is used as the sole prioritisation criterion.
CVSS does not sufficiently incorporate the operational context, the criticality of the asset, the existence of compensating controls, the real exposure or the technical and operational cost of applying a fix. In industrial environments, these factors are decisive.
For this reason, the report proposes that CVSS should be one more data point, combined with other, more actionable approaches.
Prioritisation based on real risk
Among these alternatives to CVSS, the first is the KEV (Known Exploited Vulnerabilities) catalogue from CISA, which makes it possible to identify vulnerabilities with confirmed evidence of active exploitation in the real world. This helps to distinguish between potentially serious vulnerabilities and vulnerabilities that are already being used by attackers.
Another interesting metric is EPSS (Exploit Prediction Scoring System), which provides a probabilistic estimate of exploitation, making it possible to anticipate which vulnerabilities are most likely to become a real problem in the short term. This approach complements KEV very well, since together they combine the severity and probability of the threat.
The Now / Next / Never approach translates this information into operational decisions:
- Now: act as a priority on critical, exploitable vulnerabilities with no effective mitigations.
- Next: plan their treatment within a maintenance window or as part of an improvement campaign.
- Never: document and monitor those that, in the specific context of the organisation, do not represent a significant risk.
This approach makes it possible to move from a management model based on endless lists of CVEs to one based on risk, impact and context.
When patching isn’t possible, mitigation is
One of the key ideas of the report is that the impossibility of patching does not mean inaction. In OT environments, it is often necessary to apply compensating measures while a safe remediation is being planned.
These include network segmentation, virtual patching, the industrial DMZ, access control, secure remote access, passive monitoring, centralised logging, and so on.
These measures do not always eliminate the vulnerability, but they reduce its exploitability or its potential impact.
Conclusion
The OT Cyber Alerts Report – II conveys a particularly relevant message: in industrial cybersecurity, the goal is not to patch everything, but to reduce the real risk without compromising operations.
For industrial organisations, this means combining technical severity, active exploitation, probability of attack, asset criticality, exposure and feasibility of mitigation.
At InprOTech, we continue to collaborate with AMTEGA in promoting good practices that help the Galician industrial sector move towards a more mature, measurable OT cybersecurity, aligned with the reality of organisations.