Yesterday, I had an interesting question asked me over on LinkedIn about my post last Tuesday on CISA’s control system security advisories. Taisia Berg asked: “Which of these advisories do you think will have the biggest impact on operators this week?” Quite aside from that fact that each facility is going to have its own unique mix of operational technology (and thus there will certainly be many facilities that are not affected by any of these eight advisories), manufacturing facilities generally are not able to respond to vulnerabilities on a daily or even weekly basis. Unless they can patch while operating (really not a good idea), they typically must wait for the next scheduled shutdown to patch any vulnerable equipment, and that could be months away.
Having said all of that, this particular set of advisories presents a unique set of circumstances. The three ABB advisories relate to vulnerabilities that were all disclosed by the vendor back in January. The Hitachi Energy vulnerabilities were disclosed last week. One would like to think that owners of the affected devices/software would already have started their internal risk assessment and mitigation process for those vulnerabilities.
So, what is the whole point about the CISA advisories, or gadflies like me writing about them? It is all about expanding the communications network that allows facilities to become aware of vulnerabilities in their equipment. In a perfect world (well almost perfect, vulnerabilities still exist) vendors would directly notify owners of their devices/software of each vulnerability as it was identified. But that is not practical because vendors frequently (usually?) sell through intermediaries and equipment frequently changes hands on resale markets. So, push notifications are not a total solution (probably not even a reasonably useful solution).
Since many (certainly not all) vendors publish advisories for vulnerabilities in their products, one would expect owner/operators to watch the vendor's web sites for new advisories and updates. Since facilities may often have dozens (maybe hundreds) of different OT vendors to deal with, this could be a very time-consuming process (as I am acutely aware). So, CISA Advisories and blog posts like this are a shortcut to identifying new vulnerabilities (and updated information).
Of course, CISA advisories also provide another important function, Security researchers who have not been able to successfully contact a vendor with a vulnerability notification can contact CISA to act as an intermediary. Even if CISA is similarly unable to coordinate with the vendor, they can issue an advisory based upon the researcher’s information.
So, the unfortunate (and decidedly unhelpful) answer to the reader’s question is: “It depends.”
Posts
No comments:
Post a Comment