Only 28% of Advisories Help Mitigate Risks

In its second annual review of vulnerabilities and threat group activity specific to industrial control systems (ICS), Dragos found that the majority of the public vulnerability advisories it tracked in 2018 were network exploitable. The Year in Review is comprised of three parts: The Industrial Controls System Vulnerabilities Report, ICS Activity Groups and the Threat Landscape Report and, new this year, Lessons Learned from Hunting and Responding to Industrial Intrusions Reports, authored by Dragos co-founder and CEO Robert M. Lee. Despite the finding that 68% of the advisories were network-exploitable vulnerabilities, only 28% of these network-exploitable advisories provided mitigation advice sufficient to take effective action, according to the report. "There was a surprisingly high error rate among the advisories published by ICS-CERT,” said Reid Wightman, senior vulnerability researcher. “I think there is a public perception that the organization fact-checks advisories, but either they don't do it or aren't doing it very well. It is great to see, though, that when vendors collaborate with researchers to disclose vulnerabilities, the error rate significantly decreases. I hope we see more of that in the future."