A New Industry Standard for Measuring Cyber Preparedness Over Time – The CDV Index

Velta Technology is pleased to offer a new industry standard for measuring the relative security status of all connected devices within an industrial environment – the CDV (Connected Devices Vulnerability) Index.

The CDV Index quantifies an industrial facility’s cyber preparedness and digital safety over time. It assesses potential risks and progress toward addressing digital incidents, threats and compromises that can negatively impact production, operations, the environment, and even human life. It equips organizations with measurable data that quantifies individual and collective ICS system security.

Without a measurable guide, organizations cannot determine if or how well they’re improving their OT cybersecurity posture. The CDV Index can be considered the OT cybersecurity version of a FICO score, a method used by lenders to assess creditworthiness. A higher FICO score
can increase chances of approval for funding and lower interest rates or afford better
loan terms.

In a similar way, a CDV Index not only grants the ability to internally evaluate security gaps within the industrial environment, but it can also be seen by insurance companies as a sign of due diligence toward ensuring the security and continuous improvement within those environments. This is especially advantageous for companies seeking OT Industrial cyber
insurance coverage.

The manufacturing plant floor is a dynamic, constantly changing environment. This creates the need to monitor plant floor asset patching for the purpose of removing,
isolating, and segmenting off vulnerabilities.

The CDV Index allows executives and key decision makers to glean detailed asset information and make determinations about how their security posture has improved, remained stagnant, or decreased over time. It grades an organization’s risk level compared to where it was three, six or 12 months ago, and indicates if it’s heading in the right (or wrong) direction.

In a time when cyber security attacks are becoming increasingly common, and CEOs are experiencing a growing risk of accountability for these incidents, turning a blind eye to OT security is no longer an option. Companies often don’t act or take precautions simply because they don’t expect to become the victim of a cyber attack. That sort of complacency can lead to costly and sometimes dire consequences for an organization.

CheckPoint Research has found that global attacks increased by 28 percent in the third quarter of 2022, as compared to the same period in 2021.

The CDV Index puts eyes on all devices within a company’s manufacturing environment by compiling accurate asset inventories. When looking at the vulnerabilities of each individual device, you’ll often see many assets are not patched and lack adequate cybersecurity posture. It’s important to scrutinize your vulnerability management when considering these assets individually and collectively over the entire organizational structure.

Are you addressing the right assets from a priority standpoint to make the greatest impact on the organization? If there’s a critical or end-of-life asset, are you addressing it in a timely manner? Are you prioritizing education and training so that engineers and operators better understand the nuances of these environments? A CDV Index will help you draw the right conclusions and make informed decisions to avoid potential breaches and costly downtime.

OT cybersecurity vulnerabilities are forcing the hands of insurance companies. Agencies, underwriters, and master carriers are adapting to the changing cyber landscape. They took a huge hit in 2020-21, and we saw the same thing in 2022 because cyber insurance rates were not keeping pace with the losses from ransomware payouts.

Insurance rates for cybersecurity are going up in some instances two-to three-times higher than they were a few short years ago, and the levels of coverage are coming down. They are also finding more exclusions to add to their cyber policies.

For example, Lloyd’s of London recently issued a bulletin that its insurers will soon be required to exclude losses in all standalone cyber insurance policies arising from state-sponsored cyberattacks. Lloyd’s cited concerns about systemic risk, the ease with which a widespread
cyberattack can be launched, and the resulting losses stemming from society’s global dependence on IT infrastructure.

Organizations should be mindful of these trends and should not rely on cyber insurance as a backstop. As carriers become more business savvy to evolving cyber needs, they’ll be looking for continuous monitoring tools like a CDV Index, that provide real-time data and
give them reasons to say, “Yes, this organization is prioritizing their OT security
and providing the same amount of due diligence and duty of care as they are in the
IT/enterprise environment.”

A CDV Index can help them more definitively determine if your cybersecurity posture is worthy of a higher rating versus a lower rating, where the organization is not providing proper due diligence or care. They’ll be looking for a method of collecting measurable data to determine how well the company is doing on the OT side to improve their cybersecurity posture.

You can’t protect what you can’t see – that’s why we recommend getting a CDV Index.

Learn more about the CDV Index from Velta Technology and how it can provide your organization with actionable, real-time metrics when it comes to ICS in your industrial manufacturing and critical infrastructure environments.