Making Informed Cybersecurity Decisions: Beyond Chasing Vulnerabilities

By /

Listen to this Post

Featured Image

Introduction

Cybersecurity in operational technology (OT) often focuses on chasing vulnerabilities, best practices, and data collection—like SBOMs—without addressing real-world risks. Sarah Fluchs, CTO at Admeritia and a key contributor to the EU Cyber Resilience Act (CRA), argues for a shift toward informed decision-making using cyber decision diagrams. This approach prioritizes clarity, risk-based actions, and leveraging engineers’ expertise over reactive measures.

Learning Objectives

  • Understand why traditional vulnerability-focused approaches fall short in OT security.
  • Learn how cyber decision diagrams can streamline risk-based decision-making.
  • Explore practical steps to implement structured cybersecurity strategies in compliance with regulations like the CRA.

1. The Problem with “Orange Balls” in Cybersecurity

Fluchs uses the metaphor of “chasing orange balls” to describe the industry’s tendency to prioritize visible but low-impact tasks (e.g., scanning assets, generating SBOMs) over holistic risk management.

Key Insight:

  • SBOMs (Software Bill of Materials) are useful but don’t replace risk assessment.
  • Example: A critical vulnerability in a rarely used component may not justify immediate patching.

Solution:

  • Use cyber decision diagrams to map real risks.
  • Prioritize actions based on impact, not just detection.

2. Building a Cyber Decision Diagram

A structured model helps align security decisions with business needs.

Step-by-Step Guide:

  1. Define System Boundaries – Identify what’s in scope (OT vs. IT).

– Example: `nmap -sP 192.168.1.0/24` (Scan network to map assets).
2. Assess Critical Functions – What must stay operational?
– Example: `fail2ban` (Protect critical services from brute-force attacks).
3. Map Threats & Mitigations – Use a risk matrix.
– Example: OWASP Risk Rating Methodology.

Outcome: A clear, auditable decision framework.

3. Aligning with the Cyber Resilience Act (CRA)

The CRA mandates transparent risk management for manufacturers.

Key Requirements:

  • Vulnerability Disclosure – Report and mitigate flaws.
  • Example: `cve-search` (Track known vulnerabilities).
  • Secure Development Lifecycle (SDL) – Embed security early.
  • Example: `git secrets` (Prevent credential leaks in code).

Compliance Tip: Use decision diagrams to justify security investments.

4. Moving Beyond Best Practices

Best practices (e.g., “always patch”) may not fit OT environments.

Practical Approach:

  • Assess Patch Impact – Will it disrupt operations?
  • Example: `yum –security check-update` (Check patches without applying).
  • Compensating Controls – If patching isn’t feasible.
  • Example: `iptables -A INPUT -p tcp –dport 22 -j DROP` (Block insecure SSH if unpatched).

Result: More resilient, operationally sound security.

5. Leveraging Engineers’ Expertise

OT security requires domain knowledge, not just scans.

How to Capture Insights:

  • Structured Interviews – Ask engineers:
  • “What would break first in an attack?”
  • Threat Modeling – Use tools like Microsoft Threat Modeling Tool.

Outcome: Actionable, context-aware security decisions.

What Undercode Say:

  • Key Takeaway 1: Risk > Compliance – Stop chasing checklists; focus on real threats.
  • Key Takeaway 2: Engineers Hold the Key – Their insights drive better security than automated scans.

Analysis:

Fluchs’ approach challenges the status quo by emphasizing structured decision-making over reactive fixes. In OT, where uptime is critical, this method ensures security aligns with operational reality. The CRA’s emphasis on risk transparency further validates this shift—organizations must now prove their security choices, not just follow generic best practices.

Prediction:

As regulations tighten (CRA, NIS2), companies that adopt cyber decision diagrams will:

1. Reduce wasted effort on low-impact vulnerabilities.

2. Improve audit readiness with clear, documented reasoning.

  1. Enhance resilience by focusing on what actually matters.

Final Thought:

The future of OT security isn’t more scans—it’s smarter decisions.

IT/Security Reporter URL:

Reported By: Sarah Fluchs – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: