Blog

The topic of 0Day Threat or 0Day vulnerabilities certainly get a lot of press. And this is probably for good reason. The common notion is that the 0Day vulnerabilities are the ones that can cause the most harm because they are the ones you’re not prepared for. The industry has matured significantly from the days (and yes, I can actually remember those days) when hackers demonstrated their skill for bragging rights. These days, we’ve got sophisticated markets where vulnerabilities are bought and sold and I am sure it does not surprise anybody reading this that there is also a lucrative black market for vulnerabilities every bit as pervasive as the legitimate market.

However, with all this attention on the 0Day, what about the so-called common vulnerabilities? These are the vulnerabilities that have been captured and cataloged in the Common Vulnerabilities and Exposures (CVE) database (http://cve.mitre.org/) - as mentioned in my previous post. The CVE database contains over 34K entries and the most interesting thing to note is that while all of these are published (in other words anybody has access to them), many devices, systems, and networks are still not protected. So, we have many people scurrying around trying to patch the 0Day vulnerabilities, yet the vulnerabilities that are well known and published continue to cause problems.

Many of the major outbreaks in recent years were malicious code that took advantage of one or more of the vulnerabilities that should have been patched. Many vendors are highly responsible in responding to vulnerabilities with patches, mitigation steps, or other work-arounds. However, not every industrial control system (ICS) in use today has a vendor that’s still in business. Sometimes the operators are on their own to implement mitigation measures until a patch or new software version becomes available maybe several months or even a year later. This is a significant challenge for the owners and operators of ICS, managing the gap in the “find-to-fix” cycle.

What is the best way to manage the “find-to-fix” cycle? What is the best way to handle patches? These are very basic questions within the ICS industry that have not gone away; in fact they seem to have intensified along with the complexity and heterogeneousness of our networks.

I can only hope that the various agencies and institutes that fund R&D in cyber security aren’t so totally fixated on the problem de jour they forget that yesterday’s problems aren’t completely solved yet.

- Perry