Don’t Forget the Little Guy: Vulnerability Management in Operational Technology
CVE/FIRST VulnCon 2025 · Main Stage
This talk, "Don’t Forget the Little Guy: Vulnerability Management in Operational Technology," delivered by Kyling Ranahan (CTO of Bazo) and Alex Asante (Security Consultant at A Coming), offers a critical examination of the unique and often overlooked challenges inherent in managing vulnerabilities within **Operational Technology (OT)** environments. Unlike traditional Information Technology (IT) systems, OT systems are designed to control physical processes, meaning their compromise can lead to real-world consequences such as power outages, industrial accidents, or environmental damage. The speakers articulate why a direct translation of IT vulnerability management practices to OT is ineffective, highlighting the fundamental differences in priorities, asset lifecycles, and operational constraints.
AI review
Ranahan and Asante deliver a competent, practitioner-oriented survey of OT vulnerability management that earns its place at VulnCon — but only just. The talk correctly identifies real pain points (NERC CIP-007 R2 timelines, CPE data quality, legacy OS sprawl, the CSAF adoption gap) and frames them honestly in terms of operational constraints most IT-background attendees underestimate. The CSAF advocacy is the closest thing to a sharp edge here, and the speakers deserve credit for naming a concrete standard rather than just gesturing at 'better data.' That said, this is largely a synthesis of…