OT CVEs Severity CVSS

ICS Advisories, OT CVEs, and Your Environment

Our inaugural webinar focused on the growing conversations around ICS (industrial control systems) and OT (operational technology) cybersecurity, specifically the rising number of advisories and OT CVEs (common vulnerabilities and exploits).

Sorting through the mountains of data regarding vulnerabilities, patches, and alerts and keeping the information organized can be challenging for larger dedicated teams. And the task is near-overwhelming for smaller teams with other responsibilities.

If you aren’t sure how to get started or otherwise feel a little lost (and we don’t blame you), the teams at SynSaber and the ICS Advisory Project have tips and guidance to help navigate the multitude of vulnerabilities. If you’re interested in watching the discussion from our previous webinar, you can check out a recording online!

Are There More Vulnerabilities in ICS than Before?

Well, yes and no. Looking at the number of reported OT CVEs, there has been an increase year over year in the number of CISA (Cybersecurity and Infrastructure Security Agency)-reported ICS vulnerabilities. But the rising number of CVEs could also be attributed to the growing number of reporting parties. These include reports from independent researchers, security vendors, community efforts such as the Zero Day Initiative, and an increase in reports from OEMs (Original Equipment Manufacturers) testing their own products.

As the government, media, and the general public continue to shift their attention to ICS and critical infrastructure, more effort is being dedicated to identifying vulnerabilities and putting out advisories than there were in years prior. This shift can be explained by the significant impact that an exploited vulnerability can have on the critical infrastructure that keeps our nation running.

So the rising numbers don’t directly indicate that ICS is becoming less secure – but it definitely represents the fact that there are more people invested in keeping an eye on vulnerabilities relevant to the OT community.

Getting a Bird’s Eye View of OT CVEs

Before you can dive deep into protecting your network and systems, an important first step is to have a good understanding of what devices are in your OT environment. After all – you can’t protect what you can’t see. If you have packet capture files available, you can use SynSaber’s free OT PCAP Analyzer tool to get a human-readable visualization of the devices and protocols that are contained within the file.

Once you have an understanding of what you’re working with, the dashboards provided by the ICS Advisory Project make it easy to filter through their database of reported vulnerabilities without having to spend your own time reading through the advisories.

The mitigation dashboard view allows you to filter CVEs based on manufacturer/vendor, along with any associated patches or mitigating actions, so you can narrow in on the vulnerabilities relevant to your environment. No need to get bogged down with vulnerabilities on Siemens or other assets if you don’t use equipment from those manufacturers.

Understanding and Prioritizing Relevant CVEs

Once you’ve compiled a list of vulnerabilities that might have an impact on your organization, the next step is to determine how to go about addressing them. The key is to prioritize and strategize.

One thing to look at with each vulnerability is the severity score associated with it. Severity scores are often based on things like attack vectors, complexity, privileges required, and user interaction. You can use these to determine whether a CVE’s severity is applicable to your environment.

For example, if a CVE can only be exploited via physical access to the system and you know your environment is physically secure, this vulnerability might not be as urgent a focus as other issues.

There are three questions to ask whenever you’re addressing a vulnerability:

  1. Applicable: Does this apply to my environment?
  2. Critical: Is this critical in the context of my environment and systems?
  3. Fixable: Is there a permanent fix I can deploy in my environment?

Security efforts should prioritize those that fall where these three categories intersect for the most efficient use of time and resources.

It’s also important to recognize that there are some reported vulnerabilities that might not have a fix available. It could be for a device or software with a scheduled end-of-life. For example, there won’t be any support for something moving forward, and the only way to address the issue is to upgrade to the newest version.

These “forever days” might not always have a patch or mitigation solution available, but keeping track of them is still important, both to meet specific compliance requirements and to find other ways to accommodate them in your security program.

Additional Resources