Quantifying Risk For Devices Without Published Vulns

Details

Description

How does an asset owner determine the amount and criticality of vulnerabilities in OT devices and applications that have received little or no attention? Yair presents an approach to answering this question.

Common devices from leading vendors such as Siemens, Rockwell, and Schneider Electric are rigorously assessed and supported by detailed advisories, many less common OT devices are not. 67% of vendors in CISA OT advisories have appeared only once in the past seven years. It's not unusual to find an OT vendor with no CVEs whose devices harbor low-hanging vulnerabilities—such as broken authentication, insecure channels, and hardcoded credentials—that attackers can easily exploit.

Yair introduces a new open-source framework designed to assess risks in OT/IoT networks more realistically. The framework takes into account both static data about the vendor and specific device family (including vendor size, number of identified vulnerabilities, model/family distribution, and availability to the public) and dynamic attributes related to the specific device detected (such as open services, service types, firmware release date, and the specific nature of the device).

If this catches on it could be a community driven project, with open sharing of the attributes and algorithms used for public critique and customization.

Subscribe to Dale’s ICS Security: Friday News & Notes email here:
https://friday.dale-peterson.com/signup
Check out S4x26. Feb 23 - 26 in Miami South Beach:
https://s4xevents.com