If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.
What to do when ICS-CERT and NIST produce contradictory vulnerability analyses
Synopsis
Vulnerability disclosure organizations are considered to be the most important and reliable source of actionable information for vulnerability and risk assessment, including exposure data, exploit difficulty analysis and device vendor information. Due to the high cost and tremendous risks involved in implementing corrective measures (or not), vulnerability analysis inconsistencies are increasingly becoming a problem for ICS organizations’ CSOs.
We argue that the current vulnerability scoring system is not tuned to ICS, as it incorrectly and inconsistently weighs different impacts and misses some factors. Even NIST and ICS-CERT, the two main vulnerability disclosure organizations, are not always aligned.
The players
Two of the major vulnerability disclosure organizations are NIST and ICS-CERT.
While both organizations continuously provide new vulnerability feeds and the analysis, their analyses are not always identical, and in some cases even contradictory. This makes it difficult for critical infrastructure operators to properly estimate the potential impact of vulnerabilities.
Between 2017 and 2018 Radiflow has detected about twenty such inconsistencies, which were included in the advisories released by ICS-CERT. The inconsistencies were not only in each vulnerability’s score but also on its detailed impact.
Anatomy of a vulnerability analysis discrepancy
For example, in ICSA-18-009-01, ICS-CERT released CVE-2017-16740 regarding Allen-Bradley MicroLogix 1400 Controllers, which stated that “Successful exploitation of this vulnerability could cause the [attacked] device to become unresponsive to Modbus TCP communications and affect the availability of the device.”
ICS-CERT gave this vulnerability a 8.6 (high severity) score, while NIST gave this CVE a score of 10 (critical).
More interesting and confusing are the scoring notes for the vulnerability, which detail the potential impact of the vulnerability (among other parts of the analysis). According to ICS-CERT, the vulnerability would have zero impact on confidentiality and integrity; NIST’s predicts a HIGH impact on the confidentiality and integrity.
The detailed reports can be seen here:
What causes the inconsistencies between NIST and ICS-CERT?
To answer the question, Radiflow contacted ICS-CERT and NIST. ICS-CERT explained that their scoring details are formulated in coordination with the vendor and the researcher; Once the advisory analysis is complete, they submit the information to NIST. If NIST disagrees with ICS-CERT’s CVSS scores, they develop and publish their own scores and analysis. NIST explained that they perform their scoring based on the vulnerability description, and in the cases we pointed out to them, the description was aligned with their scoring.
Are you a “NIST” or an “ICS-CERT”? Take the Radiflow Survey to find out.
In light of the analysis inconsistencies between NIST and ICS-CERT, it’s clear that the fundamental requirement to adapt an accepted vulnerability score is not enough, since it still allows users the freedom to interpret and implement the analysis in different ways (e.g. decide whether the impact of a vulnerability is low or high.)
More examples for scenarios where ICS-CERT and NIST are not aligned can be found in the under-five-minute Radiflow Vulnerability Analysis Survey, which allow the participants to validate whether their perspective is more ‘ICS-CERT’ or more ‘NIST’. In addition, more cases where the current scoring system is misleading can be found in the survey.
In the survey, you’ll be asked to help in rating a few sample scenarios that represent the various currently-overlooked aspects that can impact holistic scoring.
Preliminary results will be presented at the S4 conference, where we will also demonstrate how Radiflow Analytics Systems deals with the scoring issues, and we will send you the full survey analysis report towards the end of January.
The results will hopefully help to create a more comprehensive approach to scoring and most importantly, you’ll be able to compare your stance with your peers’!
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3