Security Alerts: Not All Vulnerabilities Are Created Equal

When the Cybersecurity and Infrastructure Security Agency’s U.S. Computer Emergency Readiness Team posts advisories for companies in myriad industries all over the country, warning them of “common vulnerabilities and exposures” in their industrial control systems, those companies’ security experts have to figure out if the warnings apply to them.

In an IT environment, receiving CISA alerts is a little more straightforward—systems administrators and cybersecurity professionals are likely to know what software they’re using, what version, whether it’s up to date, when the last time was that they made patches and so on.

In an ICS environment, such as an electricity generation plant, water treatment facility or manufacturing plant, operators and engineers are much less likely to know which version of a specific industrial control is installed, especially since such facilities may have hundreds, if not thousands, of components.

“Each individual CVE has to be responded to individually,” said Ron Fabela, chief technology officer of SynSaber, based in Chadler, Ariz., which provides ICS and operations technology cybersecurity and monitoring services to industry. “There will be an advisory for a broad line of products, and the asset owner has to identify which ones they have.”

Another reason they may not know: these kinds of facilities are in use for many years. Over the decades, equipment gets updated, replaced and modified. Employees, from janitors to chief operating officers, come and go. Keeping track of all these changes, then cross-referencing them against ISC warnings from CERT, isn’t especially feasible.

Finally, asset owners usually must work with their equipment manufacturers to get approval to patch. Otherwise, they may void any warranties on the equipment’s performance.

“There’s a lot of information about vulnerabilities, but not in an industrial context,” Fabela said. CISA “will report a vulnerability without having a plan to fix it. They will report vulnerabilities that have no patch—so-called ‘forever-day’ vulnerabilities.”

Fabela’s team thought there might be ways to make the ICS advisories more useful to facility owners, by identifying criteria—the same ones used by CERT—to sort out which CVEs have a low probability of exploitation, which CVEs do or don’t have remediations available, and how easy or difficult it is to implement the remediation. Then they released their findings for the first half of 2022 in a July 21 report to help facility managers prioritize.

“We tried to focus more on the availability of a fix, and the type and category of a fix,” he said. Forever-day vulnerabilities will be there until a facility is actually replaced, so in those cases mitigation is the only course of action, he added.

Fabela is glad that CERT issues the advisories. 

“The idea that these things should still be in the shadows isn’t going to improve anything. When CERT puts its authority on it, that gets attention,” he said. “We just looked at it from the perspective of what’s practical for an amplified attack, [and] what asset owners can do about it. It doesn’t change the data, but perhaps changes the perspective.”

Patrick Miller, CEO of Ampere Industrial Security in Portland, Ore., agrees with the report’s conclusions.

“I’m glad to see someone show this, with the evidence,” he said. “The industry has complained about this. It’s not as unrealistic as the industry says and not as useful as [the agency may think]. I’d call it mischaracterized usefulness.”

He said the alerts were an “imperfect” tool when they began, and that is compounded when they are applied to another technology.

“But they haven’t invented a better tool yet—that’s a lot of effort, a lot of vetting [and] NIST hasn’t been charged with it yet,” Miller said. “Not until we have things like this report calling out its imperfect information and usages.”

When asked about the report’s conclusions and recommendations, Eric Goldstein, executive assistant director for cybersecurity at CISA, provided a statement:

“CISA recognizes that every organization has different capabilities and needs, and industrial control systems are highly diverse. For these reasons, the severity of particular vulnerabilities may vary in different technology and enterprise environments. We encourage asset owners to review our vulnerability advisories and triage mitigations based on their own asset inventories, critical functions, and compensating controls. Our Known Exploited Vulnerabilities catalog is a great place to start: it includes both IT and ICS-specific CVEs that are being actively exploited in the wild. We also provide a range of services and information for everyone, from highly technical security professionals to those that need help prioritizing the most essential security measures. We will continue to work with our public and private sector partners to provide a range of services and information for all types of organizations.”

SynSaber’s Fabela noted that while the KEV catalog includes ICS vulnerabilities, there are very few public reports of their being exploited.

“The stories about tractors in Ukraine being shut down remotely—they’re not tied to a particular CVE, they’re more like an after-action report,” he said.