CISA’s ICS Advisories – August 2022

To provide more information on the evolving threat landscape for ICS, Verve’s research team analyzed the various ICS advisories and CVEs that were released in the last couple of weeks.

In August 2022, the team analyzed a total of 36 ICS advisories. From those advisories, Verve observed the following data points:

• The average CVSS score of 8.1, with an average of 2.7 CVEs per advisory.
• The companies with the most advisories for the month of August are Siemens (5) and Hitachi Energy (5), followed by Emerson (4) and Honeywell (3).
• 36% of the advisories published in August only affect one specific sector.
• 22% of the advisories affect multiple products. All the advisories affect multiple versions.
• 28% of the advisories were reported by companies and 72% by researchers.
• 9 ICS advisories on the 36 published in August (25%) were either self-reported or reported by a researcher working directly for the OEM.

While those vulnerabilities can all be relevant to an asset owner or cyber security professional, some of the advisories stand out.

Vulnerabilities worth noting

The following advisories/vulnerabilities stand out from the others:

Other vulnerabilities could also be listed above, such as ICSA-22-216-01 and ICSA-22-242-11 which both have a CVSS rating of 10, ICSA-22-242-03 that also have 13 CVEs associated with it, and other critical vulnerabilities that asset owners/engineers should investigate to ensure that they mitigate the risks that these vulnerabilities could entail to the environment they manage/maintain.

Vendor CPE issues & Timeline for CISA to provide details on associated CVEs

When it comes to ICS advisories, CISA gives an overview of the CVEs that have been assigned to this vulnerability. The detail of those CVEs generally includes a list of known affected Software Configurations, where an engineer or asset owner can look at the Common Platform Enumeration (CPE).

While those CVEs and CPEs usually don’t have issues, they don’t always have CPE available, the CVE ID cannot be found or is restricted, or is incomplete as the CVE is still undergoing or awaiting analysis. This is usually uncommon – For example, in 2021, the percentage of advisories that had issues with the vendor CPE was 27%.

While updating the ICS vulnerability list on a recurrent basis, the Verve research team observed that 83% (30/36) of the advisories had issues with vendor CPEs. This ratio is quite unusual considering the discrepancy between the entirety of 2021 and the month of August.

This means it takes time for CISA to render available information on the CVEs in a lot of cases. After 1-2 weeks, the number of CVEs with CVE ID that couldn’t be found dropped to half, bringing the percentage of vendor CPE with issues to 39%. There are still many advisories with CVE ID that cannot be found from the advisories that were published on August 30^th.

So, certain vulnerabilities might not be easy to mitigate quickly as companies don’t necessarily have the CVE numbers easily available to them, which could be an issue for companies if the impact of those vulnerabilities is high/critical. This means that in order to mitigate the different vulnerabilities published by CISA, asset owners/engineers must be proactive and ensure they put compensating controls in place to ensure that they mitigate those vulnerabilities.

Forecasting what’s to come in 2022

With all of this in mind, what can asset owners expect for the coming months? In 2021, we saw ICS-CERT release 354 ICS-related advisories spanning 82 vendors/OEMs, 1,198 CVEs containing references to different products, and a matrix of affected versions. With an average advisory score of 7.91 and an average number of 3.38 CVEs per advisory for 2021, how does it compare to the current year?

Based on what is available so far, it can be analyzed that 2022 might bring:

• Slightly more advisories than in the previous year (242 so far at the end of August, with new ones being published every week).
• A bigger variety of vendors, but still with Siemens as the OEM with the most advisories published in the year.
• The current trends seem to indicate that the average CVSS score and number of CVEs per advisory are going to stay similar to the previous year. This would be a contrast to the previous years when those numbers raised every year.

Verve Industrial and our objective

Verve Industrial’s mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve brings over 25 years of ICS/OT controls experience to help clients achieve rapid and lasting improvement in their Operational Technology (OT) security.

Our foundation in industrial controls engineering is core to our mission to help operators protect these critical assets that keep modern civilization operating effectively. We act as a true partner to our clients in their security and reliability journey. We walk alongside our clients to help them increase the maturity of their systems and processes over time.

One of the key challenges our clients face is the flood of new vulnerabilities released each year for ICS. They are often overwhelmed by the scale of these emerging risks. Our goal with this analysis is to bring some clarity to the task at hand, some visibility into the types of threats, and some recommendations about what actions an organization can take to address these risks.