Review - Public ICS Disclosures – Week of 7-13-24 - DTRH

During today’s Public ICS Disclosure research I ran across an interesting statement on the Rockwell advisories:

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

It looks like this is now part of the boilerplate for Rockwell advisories. Looking through past advisories it was added to the boilerplate in October of last year.

New (?) CISA Tool

The link provided in the Rockwell advisory leads to a CISA web page that has probably been around for a while now, but CISA does not date their pages, so no telling how long. That page notes:

“Carnegie Mellon University's Software Engineering Institute (SEI), in collaboration with CISA, created the Stakeholder-Specific Vulnerability Categorization (SSVC) system in 2019 to provide the cyber community a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system. CISA worked with SEI in 2020 to develop its own customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal, and territorial (SLTT) governments, and critical infrastructure entities. Implementing SSVC has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public.”

The CISA tool allows users to prioritize vulnerability response at the user level. The user provides information about an individual vulnerability and the tool assigns the vulnerability to one of the following response categories:

• Track – remediate within standard update timelines,

• Track* - remediate within standard update timelines, but monitor closely for vulnerability status changes,

• Attend – requires management attention, remediate sooner than standard update timelines, and

• Act – remediate as soon as possible.

 

For more details about the SSVC, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-252 - subscription required.