Topics:
The ICS Advisory Project recently enjoyed its fourth anniversary. In that short period of time, the project has been embraced as a top security industry resource for vulnerability advisories related to operational technology (OT) and industrial control systems (ICS).
Founder Dan Ricci spends up to 20 hours weekly collecting advisory information and building out the site’s 31 dashboards, and there’s no signs of slowing down, he said on a recent episode of the Nexus Podcast.
“I think it’s going to get a lot easier soon. With some of the capability that you can do coding with AI will really help us move it on to version 2.0 and actually make slicker dashboards, smoother UI and UX for users,” Ricci said. “We’ll also look at expanding out to an on-premise capability so people can use it behind the firewall and not have to worry about exposing what they’re looking at online through a web application by visiting the website.”
Ricci has taken care not to pair exploit information with CVE advisories and other data around OT and ICS security issues and whether a malicious entity could be monitoring the site as a resource.
“It’s there, and it could be used for good and bad. And that’s always the deal with any public release of vulnerabilities,” Ricci said, conceding there are other online resources that do pair proof-of-concept exploits with vulnerability data. “It’s good insight, but it also provides a perfect target package for an adversary to put together something (payloads vs. targets).”
Ricci said he makes use of the advisory data he stores, parses, and shares in capture-the-flag competitions, and is aware of vendor and independent research teams making use of the myriad dashboards.
“It is used in SOCs (security operations centers) for monitoring. I think it’s developed a reputation for being a reliable source of information,” Ricci said, adding that the dashboards are thorough in that entries link back when possible to original equipment manufacturers’ advisories and product pages in order to verify that information matches up.
“I want to maintain the integrity of that data as much as possible,” Ricci said.
While most of the advisories on the project reflect the reporting of the Cybersecurity Infrastructure and Security Agency (CISA), Ricci said he has added dashboards that reflect vulnerability information from other sources, including CERT@VDE, a German security platform for industrial companies, that aren’t always covered by CISA.
Separately, another of Ricci’s favorite dashboards demonstrates a correlation of CVEs that reflect how vendors are using the same software libraries in their products, and how vulnerability information demonstrates that correlation.
“I think that’s a cool correlation you can see in the ICS advisory dashboard for other CERTs and vendors,” he said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
