Aperture Podcast: Richard Thomas and Joe Gardiner on CVE Discovery Times for ICS
Michael Mimoso | Claroty Editorial Director | November 30, 2020
Industrial cybersecurity has a vulnerability problem: Security flaws can linger for anywhere between five and 14 years before they’re discovered, and information provided in CVEs and advisories lack this vital information and are also inconsistent in aligning affected products with their proper Common Platform Enumeration (CPE).
As the paper points out, vulnerability information must include pertinent and actionable information, and any inconsistencies could leave vulnerabilities unaddressed or put industrial control systems and devices at risk for attacks. This is what set Thomas, Gardiner, and their co-authors, on this journey of illuminating these risks, especially as air gaps continue to be a safeguard of the past in ICS circles, patching struggles mount, and threat detection becomes a vital piece of any IT/OT convergence and security strategy.
“By having this information, the asset owner has a clearer understanding of these risks. They can then identify whether unexpected behaviour exhibited in their infrastructure occurred during this window and understand the potential impact to their environment,” the paper states. “Without understanding their potential exposure, or being able to confidently state that they are not affected, the risk of exploitation is not appreciated and asset owners may overlook the risk.”
Some highlights of this wide-ranging conversation:
A characterization of the state of ICS patching
Insight into why vulnerabilities persist in ICS devices
The often-manual process undertaken for analyzing the dataset used by the researchers in developing this paper
A set of extensive recommendations for improvements.
Subscribe, rate, and review the Aperture podcast on all the major platforms, including Apple Podcasts, Spotify, and elsewhere.