Thursday, May 19, 2022

Review - 1 Advisory Published – 5-19-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Mitsubishi. CISA also published their analysis of the risk and vulnerability assessments (RVA) that they conducted in FY 2021.

Mitsubishi Advisory

This advisory describes two improper input validation vulnerabilities in the Mitsubishi MELSEC iQ-F series CPU modules.

FY 2021 RVA Analysis

CISA reports in their analysis document that they had conducted 112 risk and vulnerability assessments (RVA) of multiple stakeholders across various sectors in FY 2021. This document utilizes data collected during those RVAs to produce a sample attack path that a cyber threat actor could take to compromise an organization, using the weaknesses identified in FY21 RVAs.

CISA also provides an infographic that delineates the top three techniques CISA was able to use to effect each of the eleven tactics of a sample attack path developed by CISA that is based loosely on the ATT&CK methods.

For more details on the advisory and the CISA RVA analysis, including my commentary on the efficacy of the recommendations made by CISA, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */