I Can't Patch My OT Systems! A Look at CISA's KEVC Workarounds & Mitigations for OT
Philip Huff, Nishka Gandu, Pavel Novák
TL;DR
This study evaluates DHS CISA's KEVC as a basis for OT vulnerability remediation, revealing that although many KEVC entries affect OT environments, vendor-provided remediation guidance is often missing or not machine-readable, limiting patch-based risk reduction. By augmenting advisories with exploit-analysis mapped to MITRE ATT&CK techniques, the authors derive OT-feasible mitigations—chiefly network segmentation—and propose a standards-based, machine-readable framework that links CVEs to mitigations and concrete playbooks. The work highlights operational risk from non-interactive exploits and calls for enhanced vendor guidance, open validation tools, and collaborative data standards to enable rapid, safe defense when immediate patching is not possible.
Abstract
We examine the state of publicly available information about known exploitable vulnerabilities applicable to operational technology (OT) environments. Specifically, we analyze the Known Exploitable Vulnerabilities Catalog (KEVC) maintained by the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to assess whether currently available data is sufficient for effective and reliable remediation in OT settings. Our team analyzed all KEVC entries through July 2025 to determine the extent to which OT environments can rely on existing remediation recommendations. We found that although most entries in the KEVC could affect OT environments, only 13% include vendor workarounds or mitigations as alternatives to patching. This paper also examines the feasibility of developing such alternatives based on vulnerability and exploit characteristics, and we present early evidence of success with this approach.