Federal cybersecurity agency issues 10 advisories for industrial control systems

The Cybersecurity and Infrastructure Security Agency (CISA) on Aug. 7 issued 10 industrial control systems (ICS) advisories, continuing its pledge to focus on critical infrastructure security in spite of layoffs and funding cuts.

Security pros said while it’s important for CISA to spread awareness about the importance of protecting the nation’s 16 critical infrastructure categories, it’s still up to organizations in these important sectors to make security a priority.

“ICS vulnerabilities are latent kill switches built into the machinery that runs cities, grids, and factories,” said Nic Adams, co-founder and CEO at 0rcus. “CISA’s advisories are valuable, however, real impact depends on whether operators can execute effective patching and hardening in live environments. The so-called gap between advisory release and remediation is where adversaries execute fastest.”

Evan Dornbush, chief executive officer at Desired Effect, added that with CISA's diminished capacity, the responsibility of cybersecurity has been pushed to state and local governments, many of which are already underfunded and ill-equipped to handle these threats – and the hackers know it.

“However, while government efforts are strained, non-governmental initiatives are stepping up to fill the void,” said Dornbush. “The private sector is becoming more self-reliant, investing in proactive solutions that provide vulnerability intelligence.”

Dornbush pointed to the Civilian Reserve Information Sharing and Analysis Center (CR-ISAC) as one example, which has organized vetted civilian volunteers to defend humanitarian and critical lifeline sectors.

“At Black Hat a few days ago, Jake Braun's DEF CON Franklin program announced it’s scaling a free, volunteer-powered model to help protect thousands of U.S. water systems,” said Dornbush.

Here a list of the 10 ICS advisories CISA posted Aug. 7: