Michael Mimoso | Claroty Editorial Director | November 30, 2020

Industrial cybersecurity has a vulnerability problem: Security flaws can linger for anywhere between five and 14 years before they’re discovered, and information provided in CVEs and advisories lack this vital information and are also inconsistent in aligning affected products with their proper Common Platform Enumeration (CPE).

These are two takeaways from a recently published academic paper called “Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures.” Two of the paper’s six co-authors, Richard Thomas of the University of Birmingham (U.K.) and Joe Gardiner of the Bristol Cyber Security Group, University of Bristol (U.K.), discuss the paper in this episode of Claroty’s Aperture podcast.

Download this episode of Aperture here.

As the paper points out, vulnerability information must include pertinent and actionable information, and any inconsistencies could leave vulnerabilities unaddressed or put industrial control systems and devices at risk for attacks. This is what set Thomas, Gardiner, and their co-authors, on this journey of illuminating these risks, especially as air gaps continue to be a safeguard of the past in ICS circles, patching struggles mount, and threat detection becomes a vital piece of any IT/OT convergence and security strategy.

“By having this information, the asset owner has a clearer understanding of these risks. They can then identify whether unexpected behaviour exhibited in their infrastructure occurred during this window and understand the potential impact to their environment,” the paper states. “Without understanding their potential exposure, or being able to confidently state that they are not affected, the risk of exploitation is not appreciated and asset owners may overlook the risk.”

Some highlights of this wide-ranging conversation:

  • A characterization of the state of ICS patching
  • Insight into why vulnerabilities persist in ICS devices
  • The often-manual process undertaken for analyzing the dataset used by the researchers in developing this paper
  • A set of extensive recommendations for improvements.


Subscribe, rate, and review the Aperture podcast on all the major platforms, including Apple Podcasts, Spotify, and elsewhere.