At the start of the Ukraine conflict, CISA issued a “Shields Up” alert to all critical infrastructure in an effort to stave off potential cyber attacks from Russia. 6 months later, the proverbial “shields” are still up but is the U.S. critical infrastructure more secure because of it?
I was wondering if I should have more security than I have being a manufacturing and industrial site. Indeed I saw a sharp peak of hits from Russia and Ukraine at the outset of the war. But it was only a blip. But what if I weren’t a media site but a critical infrastructure site?
Security information comes at me faster than to my friend Greg Hale who specializes on the subject at Industrial Safety and Security Source. Recently I talked with Ron Fabela, CTO of critical infrastructure cybersecurity firm, SynSaber. This company is working directly with operators across oil & gas, electric, water infrastructure and nuclear to maintain a “Shields Up” posture.
More than six months has passed since the initial flurry of war and increased cyber attacks in the US. I wondered what the state of “Shields Up” was these days. Have we kept up the urgency? Or have we learned to live with it?
Ron suggested that astute executives should have used the directives to get some much needed budget. He pointed out that one cannot sustain a high alert indefinitely. And that IT and security executives should not over hype the situation. Still, when attention is suddenly focused on a risk area, it makes sense to lay a plan and ask for budget to implement strategies. Plus, sometimes the government brings money with its directives, something that is always a big help.
Expanding on the topic, like its peers, SynSaber initiated a study to discover what reported Common Vulnerabilities and Exposures (CVEs) could tell us from the 681 CVEs reported via the Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the first half of 2022.
Breaking up the reported CVEs into remediation categories (i.e., can it be patched with software, a firmware update, or something more complex requiring protocol or whole system changes) or taking a look at attack vector requirements can provide critical insights for teams to assess these and future CVEs as they are reported.
We hope that by analyzing and counting these vulnerabilities with new methods, this context can be used by all industrial security teams to better understand and remediate future vulnerabilities.
Key Findings
● For the CVEs reported in 2022, 13% have no patch or remediation currently available from the vendor (and 34% require a firmware update)
● While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 42% have been submitted by security vendors and independent researchers (remaining 2% were reported directly by an asset owner and a government CERT)
● 23% of the CVEs require local or physical access to the system in order to exploit
● Of the CVEs reported thus far in 2022, 41% can and should be prioritized and addressed first (with organization and vendor planning)
