Vulnerability Information and Threat Intelligence

In order to develop a robust security posture, All stages of the Cyber Security Management System (CSMS) require to be driven by information about vulnerabilities and informed by assumptions about malicious activity (threats). Combining an understanding of IACS vulnerabilities with awareness of adversaries’ tactics, techniques and procedures (TTPs) helps an organisation develop a proactive, rather than reactive, approach to cyber security and assists business decision makers in targeting investment to mitigate security risks.

The analysis of your business risks needs to be based on a thorough understanding of what you are trying to secure, from the simple network diagram and IACSIndustrial Automation and Control Systems asset register, and what outcomes, identified during Risk Assessment, you are trying to prevent. This allows organisations to focus on risks relevant to their IACS install base and industry sector.

The extent of vulnerability information and threat intelligence an organisation can gather and the efficiency with which the information can be used to enhance the security posture will depend on the maturity of an organisation’s security program and the resources available to analyse and act on vulnerability information and threat intelligence but the following sources should be included (where practicable):

Site operational experience e.g.:

• IACS operation and maintenance reports
• IT security reports
• Physical security incident reports
• Incident response exercise findings
• Human Resources staff onboarding and offboarding registers

Wider industry / sector attack reports e.g.:

• Relevant industry information sharing platforms
• NCSC ICSIndustrial Control System Community of Interest

Vulnerability Information Sharing Platforms e.g.:

• Vendor vulnerability and patch notifications
• NCSC Cyber Security Information Sharing Partnership (CISP)
• US Cybersecurity & Infrastructure Security Agency (CISA) ICS-CERT advisories
• Mitre CVE List

Security monitoring / threat detection data e.g.:

• Operating system and application generated logs showing -
• Communication with external networks / internet
• Authentication and access attempts
• Computer asset and configuration data
• Anomaly detection based on an understanding of normal system behaviour and recognition of indicators of malicious intrusion (where implemented by an organisation).