Your organization employs a proprietary industrial control system (ICS) in its manufacturing process. There are known vulnerabilities for which no patches exist due to the out-of-support nature of the system. As a cybersecurity analyst preparing a vulnerability management report, how should you classify this issue taking into account the inhibitors to remediation?
Suggest waiting for a vendor-supplied patch as the sole course of action.
Recommend implementing compensating controls to minimize the risk posed by the vulnerabilities.
Advise the immediate discontinuation of the proprietary system until a patch is available.
Indicate that no action is needed while accepting all inherent risks because the system is proprietary.
In the scenario where vulnerabilities exist in an out-of-support proprietary system, conventional mitigation strategies like patching are not feasible. Therefore, compensating controls are the appropriate form of mitigation to suggest. Compensating controls refer to security measures that are put in place to satisfy the requirement for a security control that is deemed too difficult or impossible to implement at the present time. By framing the vulnerability in terms of inhibitors to remediation and suggesting compensating controls, the cybersecurity analyst shows an understanding of the constraints of proprietary systems. Other answers are less appropriate because they either ignore the proprietary and unsupported context of the system or suggest an unfit remediation strategy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
Why can't patches be applied to out-of-support systems?
Open an interactive chat with Bash
What are the risks of continuing to use an out-of-support system?