Blog

Wednesday, February 04, 2009

Common Vulnerabilities & Exposures (CVE) For The Rest Of Us

As of today, the Common Vulnerabilities and Exposures (CVE) database, hosted by Mitre Corporation (http://cve.mitre.org/) for the Department of Homeland Security (DHS), contains 34,542 entries. That may not seem like a large number, but any one of those entries can translate to multiple instances in the field. While the contents of this database are very important in the IT world to help security practitioners ply their trade, build rule sets, etc., there is a glaring lack of information on industrial control systems (ICS).

A search of the CVE database using “SCADA” or “DCS” or “PLC” as a search term returns 9 entries, which represents about .02% of the total. By comparison, researchers in the ICS industry suggest that a reasonable representation in CVE would be about 10%. In other words, common ICS vulnerabilities may be underrepresented in CVE by 99.98%. So, what does this mean to the ICS world? It means that the current contents of the CVE are not nearly as useful as they could be to the ICS community and the critical infrastructure we are trying to protect.

So, what are the roadblocks to making this happen? The tools are available and the standards exist to build a process to feed the CVE with ICS vulnerability information, so that isn’t the problem. Is it the IT centric language used to describe vulnerabilities in the CVE? Perhaps what we need is an extension to the Common Vulnerability Scoring System (CVSS - an open public standard for scoring vulnerabilities - http://www.first.org/cvss/) to accommodate the ICS specific vulnerability descriptors. Perhaps if there were ICS appropriate CVSS extensions the CVE content would more relevant and useful.

It may be difficult to quantify the value to the ICS community and our society in expanding the content of the CVE to include ICS data, but it is easy to qualify. Just imagine the IT world trying to provide a reasonable measure of protection without the CVE. The economic damage that would result from the loss of the CVE would be huge and represents a common interest of everyone in society.

The value of having the CVE populated with the appropriate level of ICS vulnerability data will be immediately obvious to the owners and operators of critical infrastructure. Likewise, it will be immediately obvious to the general public that we should somehow figure out a way to get this done and share that information.

- Perry

“Achilles certification is the
standard for industrial cyber security”

Ernie Rakaczky, Invensys

Introduction to the Achilles
Satellite Webcast
Schedule a Private Demonstration