The ICS Advisory Project isn’t just Dan Ricci’s side endeavor, it also exemplifies the need OT asset owners and operators have for collated, succinct vulnerability information for industrial control systems.
Ricci’s open source tool is a searchable dashboard that pulls vulnerability advisory information from a few sources, most notably ICS-CERT. Users will find the dashboard intuitive and information is searchable by vendor, product, and date range. There are also separate views broken out by critical infrastructure sectors, and by the Common Weakness Enumeration (CWE) types.
In this episode of Claroty’s Aperture podcast, Ricci explains the motivations behind his developing the dashboard. By spending a portion of his career conducting cyber risk assessments, Ricci saw the challenges organizations face around vulnerability management and control systems.
“The first version of what would become the ICS-CERT Advisory dashboard was in Excel. I would use the simple data import function from websites provided in Excel to pull the list of ICS-CERT Advisories and parse out the vendor name and product and added slices (or filters) in Excel dashboard that could allow anyone to lookup the the advisory link for the vendors and products they cared about,” Ricci explained. “However, this approach would become cumbersome to maintain for the user if they weren't familiar with Excel data import functions and formulas I had written in the excel file. Basically a snapshot in time is all the document would become.”
It quickly evolved into the format it has today with formatting that enables anyone to find vulnerability information regardless of vendor or product. Recently, Ricci said, he has added additional dashboards—APT Profile for ICS and CISA KEV (Known Exploited Vulnerabilities) for ICS-CERT—based on the MITRE ATT&CK for ICS dataset and CISA’s KEV catalog.
“There are data points that I think a cyber threat analyst would find interesting and helpful as well as a researcher,” Ricci said. “For an ICS/OT asset owner, it's easy for them to find vulnerability information about vendors and products they are using in their OT environment. It's also a way they could research a vendor's headquarter country if they are concerned about supply chain risk and they could research a product's vulnerability history before procuring it for their environment.”