Here’s an uncomfortable truth. You know why OT vulnerability management is rarely done in an effective way? Because asset owners have given up on the idea that they would be able to make a difference. In OT, the sheer magnitude of vulnerabilities causes defenders to quickly lose all hope. How would anybody be able to achieve meaningful progress by crawling from vendor advisory to vendor advisory? The answer is, it’s impossible. Without a sound strategy, you won’t move the needle.
The reality is: Most organizations focus on patching symptoms rather than addressing the root causes. Today, we want to highlight a game-changing approach: starting your vulnerability management by examining the CVE (Common Vulnerabilities and Exposures) root causes, specifically the software products themselves. It turns out that some products are chronic “repeat offenders,” churning out new vulnerabilities month after month. Identifying and eliminating them through system hardening is key to building resilient OT systems. That’s what we call Performance-Driven OT Vulnerability Management.
Understanding the Root Cause: It’s the Software, Stupid
Traditional OT vulnerability management often revolves around digesting CISA’s and vendors’ security advisories, trying to figure out if your organization is affected, prioritizing CVEs based on severity scores like CVSS, and applying patches. When you have to deal with hundreds of thousands of vulnerabilities – which is typical for OT environments – this approach is as effective as trying to boil the ocean.
The real insight comes from digging deeper into the why behind those CVEs. More often than not, the root cause isn’t a one-off coding error—it’s tied to specific software products that inherently foster vulnerabilities due to poor design, outdated codebases, or inadequate security practices during development.
Consider this: according to data from CVE databases, certain products accumulate thousands of distinct vulnerabilities over time. These aren’t random; they’re patterns emerging from the software’s architecture or the vendor’s development habits. In OT, where systems like PLCs (Programmable Logic Controllers), HMIs (Human-Machine Interfaces), and SCADA software run critical processes, ignoring these patterns is like leaving the factory door wide open for attackers.
Meet the Repeat Offenders: Software That Keeps on Giving (Vulnerabilities)
Repeat offenders are software products or vendors that consistently produce new CVEs, often due to systemic issues like memory-unsafe languages (e.g., C/C++ leading to buffer overflows), lack of secure-by-design principles, or simply a history of sloppy coding. In broader IT, examples abound, but in OT, they’re particularly dangerous because updates are infrequent.
Based on aggregated CVE statistics from sources like CVEDetails.com and CISA advisories, here are some standout repeat offenders relevant to OT environments:
- Microsoft Windows: Products like Windows Server 2008 (3,500+ CVEs), Windows 7 (2,300+ CVEs), and Windows 10 (3,000+ CVEs) dominate the list. In OT, legacy Windows OSes are abundant. Their repeat offenses often stem from improper input validation, remote code execution flaws, and outdated components. CISA’s Known Exploited Vulnerabilities catalog frequently features Microsoft products, highlighting their real-world exploitation in supply chain attacks.
- Web browsers: No matter if it’s Google Chrome, Firefox, or Microsoft Edge – all of these generate CVEs in a consistent manner. And from these CVEs, many come with known exploits, meaning that ransomware operators have identified ways to take advantage of your vulnerable browser.
- Microsoft Office Products, especially outdated versions: Let’s be real, your engineers aren’t interested in the latest versions of Word and Excel. And they are even less interested in updating their PCs. Therefore outdated and vulnerable Office installations are commonplace in OT.
- Siemens WinCC: As a leading ICS vendor, Siemens tops ICS-specific CVE reports. Pay specific attention to the WinCC SCADA software. Outdated versions may sport dozens of severe vulnerabilities.
- Rockwell Automation’s FactoryTalk: Same thing as Siemens WinCC.
The Strategy: Identify, Ban, and Harden
The first step towards a performance-driven OT vulnerablity management regime is to identify the repeat offenders. That might sound easier said than done. If you utilize the NVD (National Vulnerability Database), CVEDetails, or commercial platforms (e.g., Dragos, Claroty) analyze CVE trends by product and vendor, you are actually approaching the problem backwards. You’ll sift through dozens or hundreds of products that you don’t even have installed. A tremendous waste of time.
The OTbase OT asset management software does it the right way. It knows about all products you have installed. It then matches this inventory against its internal CVE database. As a result, OTbase can specifically tell you what the biggest troublemakers are, and where to find them. That’s actionable intelligence. You’re not wasting any time.
As the next step, you want to identify the low hanging fruits – meaning software products that can be removed or updated easily. Application software qualifies here. Think of all the Microsoft Edge installations as an example. Are they really necessary on all those PCs? Deinstall where they are not. Update where they are. Same thing for MS Office etc. In general, application software offers quick wins here because in many cases, it can be updated without waiting for a planned outage.
Tracking progress, and becoming proactive
Management wants to see results, and they also want to get the idea that you are actually achieving some long-term progress here. Metrics are required for this. In the OTbase OT asset management software, that’s easy to accomplish as the OT vulnerability management workspace will always give you clear indicators on the overall vulnerability situation.
Now you want to make sure that the repeat offenders stay out of your environment. In the OTbase OT asset management software, this is accomplished by defining configuration policies, where you can identify prohibited software products. Once you do this, OTbase will spit out a list of non-compliant configurations in seconds. The best thing is, this list – or compliance check – is evergreen. That means that if next week a contractor installs something you don’t want on your systems, such as TeamViewer, you get notified immediately.
The payoff? Reduced patching cycles, lower risk of ransomware attacks, and compliance with regulations like NERC CIP or EU NIS2.
Wrapping Up: A Call to Action for OT Defenders
In OT security, playing whack-a-mole with CVEs is unsustainable. By focusing on root causes—the vulnerable software products themselves—you can break the cycle of repeat offenders. Audit your environment, identify those chronic vulnerables, and harden your systems by deinstalling what you can. It’s not just about security; it’s about ensuring your operations run smoothly and safely in an increasingly hostile cyber landscape. The OTbase OT asset management software helps you all the way.
Interested in learning more? Download the OTbase Vulnerability Management Handbook