Table of Contents

Introduction

Our mission is to protect the critical industrial control systems (ICS) that keep modern civilization operating effectively. With over 30 years of ICS/OT controls experience, we help clients achieve rapid and lasting improvement in their Operational Technology (OT) security. Our deep ICS/OT expertise allows us to be a true partner in our clients, helping them to increase the maturity of their systems and processes to protect their most critical assets.

One of the key challenges our clients face is the flood of new ICS vulnerabilities released each year. They are often overwhelmed by the scale of these emerging risks. The goal of this analysis is to bring clarity by providing visibility into the types of threats and recommending actions organizations can take to address these risks in their OT environment.

In 2023, multiple conflicts arose and/or continued in the world. With these conflicts came cyber repercussions – more cyber-attacks, new threats, and new groups springing into action to participate in the war efforts or profit from the overall confusion.

Many of the trends from previous years continued steadily in 2023, such as:

  • A growing number of OT-specific cybersecurity events across the globe (e.g. A ransomware attack on Dole that shut down their North American production, a cyberattack on Boeing that impacted its parts and distribution business, etc.) affected millions of individuals across multiple industry verticals (Oil & Gas, Manufacturing, Energy, Financial Sector, etc.).
  • An increase in the number of reported vulnerabilities and therefore of common vulnerability and exposures (CVE) and ICS Advisories (although the number of ICS advisories only grew by one).
  • Discrepancies between different CISA (Cybersecurity & Infrastructure Security Agency) resources out there (e.g. KEV database VS ICS advisories).

On the other hand, the diligent work from cybersecurity professionals, governments, and organizations allowed better threat management and more tools (people, process & technology) to manage vulnerabilities. The ever-growing number of industry standards and compliance mechanisms ensured that OT/ICS organizations focused on managing their threat landscape.

To provide insight into the growing ICS risks and vulnerabilities landscape, we analyzed publicly available data points and reviewed our own vulnerability analysis data from the past couple of years. We:

  • Examined the 371 ICS-CERT advisories from 2023 and extracted key insights,
  • Compared all advisories from 2023 with the ones from past years (with a particular focus on 2022),
  • Assessed the potential implications of those advisories,
  • Identified a few key advisories that stand out from the pack, and
  • Developed a list of recommendations for ICS staff based on our observations.

This analysis focuses on the specific ICS advisories issued by CISA relating to hardware, firmware, and application software provided by ICS vendors to their critical infrastructure clients. Excluded from this study are vulnerabilities published for IT-type networks and Windows OS, the thousands of vulnerabilities published by organizations like Cisco and Microsoft. The CISA ICS advisories are vulnerabilities that are issued through different vulnerability management channels and by threat hunting teams. Those vulnerabilities may have a significant impact on the ICS/OT environments. Advisories are generally created by CISA or the company/researcher that first found/discovered/detected them.

Since last year, the front-end of CISA’s library of advisories has changed but is still relevant for companies looking to understand the vulnerabilities they may have on their network and which versions of hardware, firmware and/or software could be victim of a violation. ICS vulnerabilities provided in those advisories do not provide a comprehensive threat landscape as some vulnerabilities never get reported to CISA, but it is still one of the best free tools available to start a vulnerability management program for the OT/ICS realm.

Executive Summary

In 2023, ICS-CERT issued 371 cybersecurity advisories to the public on CISA’s website. We analyzed these advisories without any discrimination – no advisory was rejected based on geography, company size, domain of operations, vendor, etc. The scope of this analysis was purely focused on the ICS advisories (ICSA-23-***-**). This report summarizes the conclusions, observed trends, and insights into some of those advisories, vulnerability management and the resources available to make informed decisions for mitigation.

ICS-CERT released 371 ICS-related advisories spanning more than 100 vendors/OEMs, 1,708 CVEs containing references to different products and a matrix of affected versions. 

The number of ICS advisories published each year has stayed consistent (an increase of 1 advisory [Less than 1%] over 2022). However, the number of CVEs contained in those advisories increased dramatically by 28%. This growth of CVEs is mostly explained by one advisory that holds more than 400 CVEs within it. Although it’s common for one advisory to include 100 CVEs, this is an outlier.

The OEMs/companies most affected by the ICS advisories have stayed relatively consistent and Siemens has remained the top reporting OEM since 2020.

Many risks created by the vulnerabilities listed in the CERT advisories are considered HIGH or CRITICAL by NIST’s National Vulnerability Database (NVD), with a significant increase of those scored with a CVSS of 10/10 (Critical). However, there was a decrease of the CVSS of 9/10 (also Critical). All in all, the number of Critical CVSS has decreased by a count of five advisories.

278 advisories out of the 371 had a score of 8 or higher in 2023. Of those advisories, 261 (70%) are exploitable remotely, 333 (90%) have a low attack complexity, and 41 have public exploits available.

The following trends are also observed:

  • A good portion of the vulnerabilities could be used to impact the critical manufacturing sector (42%).
  • Almost half of all the reported vulnerabilities could affect more than one sector (49%).
    • This is less than the previous year (2022), where 53% of the advisories affected more than one sector.
  • There was a decrease in the number of vulnerabilities affecting multiple products compared to 2022, but there were 116 advisories in 2023 that affected multiple products (129 in 2022).
    • The number of advisories affecting multiple products has been in decline for a few years now, with 137 instances in 2021.
  • Most of the vulnerabilities were identifies for companies headquartered in six specific countries (~85%).
    • This includes Germany, which is explained by Siemens being headquartered there, Mitsubishi Electric being located in Japan, and companies like GE in the United States.

 

Like previous years, Siemens had the largest number of advisories in 2023. 30% of alerts in 2023 were related to Siemens (37% related to Siemens in 2022. The high number of advisories doesn’t mean that Siemens is less secure than their competitors, but instead that a lot of research and threat hunting has taken place for Siemens products and solutions. Over the last few years, many organizations have followed suit, with the percentage of self-reported advisories increasing.

 

Methodology & Data

To collect data for comparison to the observations published in 2022, the Verve research team applied a similar approach:

  • We collected all the ICS advisory results and CVEs.
  • We analyzed the results and reviewed for any discrepancies or gaps in the 2023 period:
    • The nature of the disclosure based on available data.
    • The cause noted in the advisories and the different CVEs they contained.
    • The consistency and exactitude of information contained in the advisories.
  • We compared the results with previous years to understand trends within the OT market and threat hunting.
  • We reviewed the results and aggregated them together into multiple dashboards for final analysis.

We analyzed each ICS-CERT advisory for severity, exploit vectors, link to product names and software versions, what the relevant risk entailed, etc. They were recorded, visited, and their information archived.

We checked if CVEs were missing/reserved, validated scores to determine if they were marked correctly and did the CPE strings reflect initial expectations (e.g., did the vendor’s name match, or was the product’s name correct?).

The information was cross-referenced with data from previous years to identify tendencies and changes in the ICS market.

Analysis & Findings

We have analyzed the ICS-CERT advisories. The data collected provides a comprehensive view of multiple vulnerabilities with publicly available information. The data shows that during the last five years, there’s been an increase in research on OT-specific vulnerabilities. The level of publication by different organizations across multiple industry verticals culminated in 2022 with 370 advisories, staying consistent in 2023.

At a high-level, we found an insignificant growth of 0.3% in the number of advisories published in 2023 compared to the 2022. This decline in growth has been observed since 2022 and could continue in the short term. However, with mounting pressure from governments and agencies for mandated transparency, we’ll likely see an increase of information readily and publicly available for asset owners to include in their risk and vulnerability management programs in the future.

Of the 371 ICS-advisories that were observed in 2023, the average CVSS score was 7.96 [High]. The average number of vulnerabilities (CVEs) per advisory was also significantly higher than one, even when excluding ICSA-23-348-10, the advisory previously mentioned that has more than 400 CVEs.

In addition to the above summary statistics:

  • 243 advisories (65%) were both exploitable remotely or from an adjacent network with low attack complexity, same as in 2022.
  • 116 affected multiple products (31%) compared to 129 (35%) in 2022, and 322 affected multiple versions (87%).
  • There was an average of 4.60 CVEs per advisory (3.31 in 2022), with four of the advisories having more than 50 CVEs:
    • ICSA-23-166-10 with 53 CVEs
    • ICSA-23-075-01 with 65 CVEs
    • ICSA-23-166-11 with 108 CVES, and of course
    • ICSA-23-348-10 with 404 CVEs

Discovery & Reporting

  • 185 ICS advisories were reported by researcher(s) (~50%) and 165 by company (~44.5%).
  • There was a reappearance of advisories published by Government(s) – 3 advisories (~1%), something that had not been seen since 2020.
  • 153 advisories were self/company reported, which means they were either reported by a researcher working for the company or the company itself reported the advisory to CISA.
    • This is almost the same amount as 2022, when 137 advisories were self-reported.
  • When looking at vendor CPEs in the advisories, our research team found around 20% had issues.
    • The issues ranged from reserved CVEs (CVE ID Not Found) to the absence of CPE in the CVE, third-party CPE in the CVE instead of the vendor ones, and even CVEs undergoing analysis or reanalysis.
    • While these numbers are large and growing, this analysis excludes two types of additional vulnerabilities: 1) those that vendors do not release publicly but share privately with their clients only, and 2) those that are still hidden in these “insecure by design” systems.

CVSS Ratings

The average CVSS scores have remained consistent over the years even as the number of CVEs increased drastically:

CVSS scores remained around 8 [HIGH] for the last five years. On average, there were 4.60 CVEs per CVSS in 2023, which is significantly higher than 2022.

While the number of CVEs per advisory has been relatively consistent, the overall number of CVEs increased by 483 between 2021 and 2022, as shown in the following graph.

  • This was a major increase considering that the number of advisories grew only by one.
  • Even if ICSA-23-348-10, the advisory with 404 CVEs was excluded from the data set, there would still be a significant increase of CVEs, with 79 additional CVEs for the same number of advisories (370).

We took a random sample of ICS advisories to establish the discrepancy between the CVSS score and the suggested scores from the CVE(s) they contained. We saw minor discrepancies but nothing alarming. Of course, some advisories had significant gaps between their scores and those attributed to the CVEs they contain.

A few examples:

  • ICSA-23-320-03 had a CVSS score of 9.1 and 3 CVEs, with scores suggested at 9.1 for one CVE, 7.5 for the second one and 9.8 for the 3rd one – with an average of 8.8. There is a slight discrepancy here, but the NVD considers both scores Critical.
  • ICSA-23-143-04 had a CVSS score of 7.8 and a total of 10 CVEs, with all the scores in the CVEs being 7.8, except for one. The only CVE that doesn’t have that score is CVE-2023-32281 because the CVE ID is currently Not Found.
  • ICSA-23-080-02 had a CVSS score of 9.8 and 13 CVEs, with CVE scores varying from 7.5 to 9.8. There is a slight discrepancy here, with most of the CVEs having a score of 8.8 (six ).

Small discrepancies between CVEs and CVSS scores is not major, but an important discrepancy could indicate that:

  • The CVSS score is not indicative of the criticality of the vulnerability and ideally should be changed – A CVSS score that doesn’t reflect the proper criticality of vulnerabilities could potentially lead to mismanagement by asset owners
  • The embedded CVE(s) and the advisory don’t match. The advisory could be for a certain vendor and product and the CVEs are related to a completely different source – leading to completely different scores.
  • There are a lot of CVEs embedded in an advisory and CISA chose one of the CVE scores (usually the highest) as the CVSS score.
    • In other words, if there are 7 CVEs in an advisory for example, 6 of those have a score of 7.5 and 1 is a 9.8, the average score should mathematically be 7.83, but CISA will most likely put a CVSS score of 9.8 to ensure asset owners know that there is a critical vulnerability in one of the CVEs in this advisory.

Vendor Disclosures

The OEM vendors with the most disclosures have stayed relatively consistent over the years with Siemens having the most advisories to its name.

The top positions slightly rotated between vendors, but the most prominent names return:

  • Siemens – 113 advisories in 2023, which represents ~30% of all the ICS advisories published in the year.
    • This was a decrease of ~18% for Siemens, with 137 ICS advisories published by and for the company in 2022.
  • Rockwell Automation – 31 advisories to its name in 2023. The second highest disclosing OEM in the year (4th in 2022).
  • The only change to the top 6 in 2023 was Schneider Electric, which made its way back to the top with 11 ICS advisories.

In 2023, there was a total of 112 OEMs with ICS advisories reported by CISA. However, this chart has multiple caveats that readers need to be aware of:

  • Many vendors are not reporting ICS vulnerabilities or sharing the vulnerabilities with affected customers. These vulnerabilities still exist but are not on the list of advisories.
  • Many products impacted by the ICS vulnerabilities are end-of-life and will not receive a patch or other corrective measure. Asset owners must add compensating controls around those products.
  • Many advisories impact third-party software and could impact vendors that are not listed in the advisory itself.
  • Of those vendors, many reported vulnerabilities to CISA, but for the most part, external researchers send the vulnerability to CISA. When a researcher reports a vulnerability to CISA, it does not mean the affected organization necessarily had previously known about it.

On an interesting note, CISA included this message in all Siemens advisories:

“As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).”

This message indicates that in recent years, some of the advisories that were published for Siemens products may have been recycled from previous advisories, with minimal modifications. With Siemens being the number one disclosing OEM for several years now, this create the following question: Are all newly published advisories really “new”, or just new versions of previously published ones? If it’s the latter, are they “recycled” advisories relevant to asset owners, or have these new postings created more confusion, false negative and false positive alerts, and in the end, very low value for asset owners?

Nevertheless, for this analysis, our team considered all the advisories that were published in 2023 (ICSA-23-***-**) without discriminating based on previously available information (as mentioned in the Executive Summary).

Industries Affected

Many ICS vulnerabilities impacted organizations whose business is in different industry verticals. This can be observed in the chart below where those observations can be made:

  • 132 advisories impacted “Multiple Sectors” but does not specify which ones
    • 147 in 2022 – With a decrease of 11%
  • 190 advisories only impacted one sector (e.g. only Energy)

The industries with the most ICS vulnerabilities found were Critical Manufacturing (42%), Energy (19%), and Commercial Facilities (8%). This information comes as no surprise as Critical Manufacturing and Energy have been the most impacted industries for several years, with the third position usually varying between Water & Wastewater Systems, Commercial Facilities, and Food & Agriculture, which this year dropped to almost 10th place (Assuming “Multiple Sectors” is excluded from that podium).

Other industries significantly targeted by the advisories/vulnerabilities found were Water & Wastewater (6%), Communications (4%) and Transportation (3%).

Historically, Critical Manufacturing and Energy are the two most targeted industries when it comes to OT/ICS. This is likely because many products produced in those verticals of the Critical Manufacturing sector are essential to many other sectors listed in advisories as defined by CISA.

For example:

  • Primary Metals Manufacturing (Iron & Steel Mills, Aluminum production and processing, etc.)
  • Machinery Manufacturing (Engine and Turbine Manufacturing, Power Transmission Equipment Manufacturing, Mining and Construction equip. manufacturing)
  • Electrical Equipment, Appliance, and Component Manufacturing (Electrical Motors, Transformers and generators)
  • Transportation Equipment Manufacturing (e.g. Locomotives, railroad equipment manufacturing)

 

Top Vectors & Issues

When comparing to 2022, we saw that 73% of the advisories could be exploited remotely, and 90% had a low attack complexity. In 2023, those numbers were nearly the same, with 70% being exploitable remotely. Around 90% of the CERT Advisories in 2023 could be exploited with a “Low Complexity” attack.

The details for 2022 are presented below:

Of the 371 ICS advisories that were observed, only four advisories had NO skills mentioned. This mean that most of the vulnerabilities mentioned in the advisories could be exploited using skills of various complexity.

Of those advisories:

  • 250 (67%) had multiple “skills” mentioned.
  • 26 had three skills mentioned, and four (4) had even more, with 4 skills mentioned.
  • 41 advisories mentioned having public exploits available (35), or “Known public exploitation” (6), both meaning that those vulnerabilities have been exploited in the past – with this being public knowledge.

201 unique vulnerabilities/issue values were found up from 198 in 2022. The top 5 vulnerabilities and their frequency within CVSS were as follows:

  • Improper Input Validation: ~10%
  • Out-of-bounds Write: ~10%
  • Out-of-bounds Read: ~9%
  • Path Traversal: ~7%
  • Cross-site Scripting: ~7%

 

The total number of vulnerabilities mentioned in the advisories is much higher than the number of advisories itself, with a total of 920 CVEs.

In previous years, there may have been lesser occurrence counts partially due to the overall numbers of CVEs being significantly lower (483 more CVEs in 2023 compared to 2022).

However, there are similarities between 2023 and 2022 when looking at the most common vulnerabilities that were reported by CISA in the ICS advisories. For example, Out-of-bounds Read, Out-of-bounds Write, Cross-site Scripting & Improper Input Validation were all part of the top 5 unique vulnerabilities in both years. The only difference in the top 5 was that, in 2022, Improper access control was the 3rd most common vulnerability, while it falls to the 6th position in 2023. Most of the top common vulnerabilities have stayed consistent the last couple of years.

Of the 201 unique ICS vulnerabilities that were found, only 21% (159) of the vulnerabilities identified impact more than five advisories. By adding all the vulnerabilities that impact many vendors, we find a total of 920 vulnerabilities for 371 advisories (All the advisories had specified vulnerabilities compared to 2022 where 1 of them had no specified vulnerabilities). In 2022, the total was 785 for 370 advisories.

ccording to the data our research team collected, 43% of the advisories, (~159 advisories) had more than one vulnerability associated with it. (One advisory had “Multiple” listed as “Type of vulnerability”, but this vulnerability wasn’t specified in the advisory.) This is the exact same percentage as the previous year but is still a significant number that asset owners and OT cybersecurity specialists should pay attention to. In the end, many of those advisories and vulnerabilities don’t have an all-inclusive fix or an easy solution for mitigation. Asset owners should use different criteria to prioritize their vulnerability and risk management. For example, asset owners could focus on CVEs / Advisories that are Critical [Score of 9-10], that have known exploits or, more importantly, vulnerabilities that could potentially be exploited on their critical systems, productions lines, etc.

 

Outstanding Advisories

During 2023, many advisories stood out from the others, whether by their sheer number of CVEs, by the impact they had/have on the market, by the number of products they affect, etc.

Here are a few examples of outstanding ICS CERT Advisories:

ICSA-23-166-11
ICSA-23-348-10
ICSA-23-313-01

Other vulnerabilities could also be listed above, such as ICSA-23-297-01 which has a CVSS rating of 10 and public exploits available, and many other critical vulnerabilities that asset owners and engineers should investigate to ensure that they mitigate the risks that these vulnerabilities could entail to the environment they manage/maintain.

Issues with CISA Advisories

Inconsistencies and underlying issues

CISA offers many different resources, with the Department of Homeland Security (DHS) and NIST (National Institute of Standards and Technology) being highly committed to offering actionable vulnerability data to organizations. However, in a world where so many researchers and companies constantly look for new vulnerabilities, whether we’re talking about conception flaws, code error, bugs, or something else, it’s difficult for a government agency to ensure consistency and uniformity in all published advisories, and by extension, that the different libraries they maintain are also syncing with one another.

Here are a few examples of inconsistencies:

Example 1 – Typos and Inaccurate Information

“CISA provides secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities.” Advisories are usually the result of companies or researchers reporting to CISA. The information required to put in the vulnerability reporting form includes:

  • Have you attempted to contact the vendor?
  • Do you believe multiple vendors are affected?
  • What is the name of the affected product or software?
  • What version number of the product or software is affected?
  • What is the vulnerability?
  • How does an attacker exploit this vulnerability?
  • What does an attacker gain by exploiting this vulnerability? (i.e. what is the impact?)
  • How was the vulnerability discovered?
  • Is this vulnerability publicly known?
  • Is there evidence that this vulnerability is being actively exploited?
  • Do you plan to publicly disclose this vulnerability yourself?
  • Do you want us to share your contact information with vendors?
  • Do you want to be acknowledged by name in any published document about this vulnerability?

With this in mind, CISA doesn’t have much control on the information provided by those different actors. Even if each question in the form requires an answer, it is still CISA’s responsibility to validate this information and ensure conformity and accuracy of the data they receive before they make it publicly available. However, while completing this analysis, our research team found multiple instances where reliability was not intact:

  • ICSA-23-152-01, an Advantech WebAccess/SCADA advisory, had “Tawain” written as the company headquarters location instead of Taiwan.
  • ICSA-23-206-03, an Emerson ROC800 Series RTU and DL8000 Preset Controller advisory, had USA marked as the headquarter location instead of “United States” like all the other companies located in that country.
  • ICSA-23-136-02, a Rockwell ArmorStart advisory had Rockwell written as the affected company instead of Rockwell Automation like all the other ICS advisories from 2023 had.
  • When looking at multiple advisories for Mitsubishi Electric, there are multiple ways that CISA published their name. For example:
    • ICSA-23-103-15 had Mitsubishi Electric India
    • ICSA-23-026-05 had Mitsubishi Electric Corporation
    • ICSA-23-215-02 had simply Mitsubishi Electric
  • For skills, multiple examples of language differences can be seen:
    • Public Exploits Available can sometimes be Public Exploits ARE available, there is Exploitable via adjacent network, but also Exploitable with adjacent access, etc.

Example 2 – Missing Information

As mentioned previously, when companies or researchers find a vulnerability, something that should be in an ICS Advisory, they must fill out a relatively complex form. For the most part, the information that ends-up being published is consistent and of good quality – meaning that it is actionable for asset owners.

But, in certain cases, the underlying information is missing. A prime example are affected products. Many times, it’s been discovered in the published information, there were some versions of products that were in fact affected by the vulnerability and at risk of an exploit, but they were never flagged. By digging deeper into the analysis, many CPEs have been found missing for CVEs. So, even with the help of a third-party, those ICS advisories/vulnerabilities could get missed. This is one reason why companies need to be careful when they choose an asset management tool – It’s important to select a vendor that knows ICS/OT and the assets that live in the industrial world – so if the CPEs don’t exist on CISA’s website, they get at least created in the platform you use.

Example 3 – ICS Advisories VS. KEV Database: The Disconnect with OT

The examples listed above demonstrates it is not possible to completely trust the information available from the CISA advisories. To ensure the critical systems are safeguarded and protected, one needs to refer to additional sources of information.

This is where CISA comes in with yet another resource – The KEV database (Known Exploited Vulnerability). This database is a list of vulnerabilities published by CISA that inform asset owners on vulnerabilities that have public known exploits. In other words, it’s a list of vulnerabilities that have been the victim of a violation at least once.

It can be observed (as is detailed above in the analysis), that ICS advisories also mention which vulnerabilities have public exploits available. So how do those two compare?

In the KEV database, specific assets that are part of a typical OT network, such as PLCs, HMIs, etc., don’t appear. When searching in the filters for Rockwell Automation, Siemens or Schneider Electric for example, there are no results. All the CVEs that could be found were linked to IT or networking assets/software assets (e.g. Microsoft, Cisco, Android, Apache, Veeam, etc.) which doesn’t necessarily exclude that one of those CVEs could be associated to embedded software in an OT asset. When looking at various advisories, the our research team found one example of this:

  • ICSA-23-297-01, a Rockwell Automation Stratix 5800 and Stratix 5200 advisory, has two CVEs in it. Those two CVEs are not Rockwell Automation CVEs (CPE issues), but are in fact Cisco:
    • CVE-2023-20198, A Cisco IOS XE Web UI Privilege Escalation Vulnerability, is in the KEV database.
    • CVE-2023-20273, A Cisco IOS XE Web UI Command Injection Vulnerability, is also in the KEV database.

With CISA marketing the KEV database as “the authoritative source of vulnerabilities that have been exploited in the wild,” there is a disconnect to how this pertains to OT. This doesn’t make the KEV database irrelevant to OT, as OT networks do contain many computers, workstations, switches, firewalls, AV software, etc. But vulnerabilities with known exploits that are found in the ICS advisories should also be in the KEV database.

Challenges for Asset Owners

Examples 1 and 2 provide an overview of difficulties that asset owners face when identifying different vulnerabilities that impact their network and environment. Without a tool to parse through the data and provide both context and a comprehensive list of vulnerabilities per asset, it is easy for an overworked plant manager or operator to miss one of the vulnerabilities that could potentially be exploited and lead to a violation.

If an asset owner decides to run their own vulnerability management without help from a third-party, it is daunting to search for vulnerabilities and filter through the data. From typos, errors, or missing information, how does one make sure that no vulnerability or advisory falls through the cracks? It would be easy and perfectly understandable for an asset owner to miss one because they filtered on their region and “worldwide”, but some advisories were mislabeled, or they filtered on a product or company on their network, but one ICS advisory doesn’t get flagged by the search because the name is not listed the same in the advisory.

In example 3, knowing which vulnerabilities have been exploited previously by a threat actor has always been a catalyst for change. First, because “vulnerability does not mean exploitability”, but also because they are usually accompanied by horror stories from fellow cybersecurity specialists, asset owners and members of the industry. So, with these two lists of public exploits, which one should you trust? How do you decide which one to prioritize? Should you consider both as equal?

It’s important for asset owners to use more than just one source of information. By looking at multiple sources, vendors advisories, comparing the data and conducting strong analysis, asset owners can make informed decisions on how to prioritize their mitigation plans with their accepted level of risk, budget and security requirements (e.g. compliance) in mind.

Advice for asset owners:

Consider using more than one source of information. By comparing the data and conducting strong analysis, asset owners can make informed decisions on how to prioritize their mitigation plans with their accepted level of risk, budget and security requirements (e.g. compliance) in mind.

Remediation

The above summary can be overwhelming for an asset owner or site engineer, but our guidance on how to manage a mass of ICS vulnerabilities as risk remains the same:

  • Even if multiple actions can be taken without having visibility on the network, in order to get the best results, it is still a good start to really know which assets are living in your plant, how they interact together, the compatibility requirements, etc.
    • Companies should make sure they have a comprehensive asset inventory, including embedded devices, software, firmware, etc. This should be combined with data from vendors and sources such as CISA.
  • Organizations should assess the impact of the relevant advisories for their organizations and develop a remediation strategy to mitigate those vulnerabilities.
  • Organizations should ensure OT assets and systems are protected from inappropriate actions as well as malicious application operations.
    • Because of the natural “insecure by design” nature of OT devices and systems, operators need to assume that each device has unknown vulnerabilities and ensure the protection of assets.
  • Organizations should monitor the network for a potential exploit of one of the vulnerabilities.
  • Ensure you’re ready to react to a potential incident linked to one of the advisories/vulnerabilities affecting the environment.

Asset owners need to have a solid Risk Management program that includes reliable data and a good understanding of the network.

Using standards such as ISA 62443 can help start your cyber journey and create a robust cybersecurity program. By using the structured approach that is the CyberSecurity Management System (CSMS), companies learn how to go from conducting risk analysis (business rationale, risk identification, classification, assessment), to addressing risks with controls related to people, to adopting process and technologies (including selecting security countermeasures and implementing them), and monitoring and improving their cybersecurity management system.

Related Resources

Guide

2021-22 ICS Advisory Report

Download the 2021-22 ICS Advisory Report to uncover our key findings and predictions for what's to come.

Learn More
Guide

2022 ICS Advisory Report

Download the 2022 ICS Advisory Report to uncover our key findings and predictions for what's to come.

Learn More
Guide

The Ultimate Guide to Reading ICS Cyber Security Advisories Like A Pro

CVEs and advisories should not be scary – here are the basics to get anyone started.

Learn More