San Diego, CA – 12/13/2024ObjectSecurity LLC, a leading provider of advanced vulnerability detection for defense and critical infrastructure, today released an early pre-release of its novel, patented “NCT” cybersecurity vendor rating technology. The technology, which was funded by National Institute of Standards and Technology (NIST) under the Small Business Innovation Research (SBIR) program, is publicly available for free.  ObjectSecurity will showcase the tool at the upcoming S4X25 OT/ICS cybersecurity conference in February 2025.

Boosting OT Cybersecurity: The Need for Incentivization

In the evolving landscape of OT/ICS security, a significant challenge remains the disjointed nature of stakeholders—ranging from purchasers to manufacturers and red team service providers—creating a fragmented approach to cybersecurity. Manufacturers often improve their cybersecurity measures only when pressured by buyers, yet these buyers frequently lack the expertise, resources, or reliable information to discern which vendors truly prioritize cybersecurity. Full-scale security testing driven by purchasers is rarely practical due to its expense, complexity, and lack of scalability. Additionally, while government guidelines and standards exist, they often fail to provide the specificity needed to compel manufacturers to improve. Consequently, both IT and OT/ICS ecosystems are far from establishing a reliable method for scoring manufacturers and their devices in terms of cybersecurity.

In particular, IT and OT/ICS industries face significant cyber threats due to inadequate incentivization structures. Current incentives, such as compliance regulations and financial benefits, often motivate manufacturers to meet minimum standards rather than adopt deeper security analysis practices. A key challenge lies in the lack of transparency from manufacturers about their internal security processes, making it difficult for buyers and regulators to make informed decisions. Manufacturers view meeting cybersecurity compliance primarily as a business expense, leading to a “check-the-box” approach that neglects true cyber-hygiene. To address this issue, a more effective incentivization strategy is needed for manufacturers to improve security.

Calculating Cyber-Hygiene Scores: A Path to Enhanced Security

ObjectSecurity’s objective was to develop a systematic method for evaluating manufacturers’ and software/hardware vendors’ cybersecurity practices and security compliance, resulting in a comprehensive “cyber-hygiene score”. By establishing a standardized scoring system, we can incentivize industry players to prioritize proactive cybersecurity measures, including vulnerability detection, publication, and remediation, ultimately enhancing the overall security resilience of the IT and OT/ICS ecosystem.

NCT Vendor Cybersecurity Rating Tool

Funded by the National Institute of Standards and Technology (NIST) under the Small Business Innovation Research (SBIR), ObjectSecurity developed the “NCT” tool, which calculates vendor cyber-hygiene scores through a multi-faceted assessment including criteria such as exploitability, remediability, severity, explainability. Importantly, the tool only uses public data sources, including for example the National Vulnerability Database (NVD) , and provides detailed information how each score is calculated. The website is publicly available as a tool for cybersecurity community, buyers, and manufacturers alike at the following URL:

S4X25 Security Conference: NCT Showcase

Please join us! ObjectSecurity will present the NCT tool to the OT/ICS community at S4X25 Conference in Tampa, FL, on February 12, 2025 (11:00 – 11:30 AM, 2nd Floor, Stage 3). Here is the abstract:

NIST funded a research project to create and test an OT device security score for devices commonly used in manufacturing. In this session, Ulrich will explain the test methodology and provide scoring examples from some of the most popular vendors’ devices.

In this presentation at S4x25, we will delve into our ongoing NIST-funded R&D project aimed at addressing the critical challenges in OT/ICS security. We will outline our approach to developing a scoring system for OT/ICS manufacturers, based on extensive analysis of public data sources like the NVD. Attendees will gain insights into the innovative methods we are employing to differentiate manufacturers based on their behavior in reporting and fixing vulnerabilities. We will also discuss our vision for the project, and present a public website prototype that will enhance the transparency of cybersecurity practices among OT/ICS vendors. The presentation will cover our initial findings, the methodologies being applied, and how we plan to collaborate with NIST, CISA, and other stakeholders to improve CVE reporting. This session will provide a glimpse into how these efforts can improve OT security by empowering purchasers to make more informed decisions, while giving manufacturers better means to differentiate themselves by offering more secure devices.

Related Posts

Cloud vs. on-prem/offline/portable vulnerability analysis?

Cloud vs. on-prem/offline/portable vulnerability analysis?

April 16th, 2021
Agile Risk Assessment and Testing (ARAT)

Agile Risk Assessment and Testing (ARAT)

July 17th, 2020
Automated ICS Vulnerability Assessment

Automated ICS Vulnerability Assessment

July 9th, 2020