Ensuring the security of industrial assets

An important step towards the cybersecurity future: CSAF 2.0 – a new standard for security advisories.

It’s a challenging task. Anybody responsible for the cybersecurity of a plant’s equipment regularly needs to download security advisories to ensure their assets are up to date. They need to read them, map them to their list of existing assets – and, if necessary, download patches. It’s a manual, laborious, at times even tiresome process, as today’s continued digitalization of industrial products brings with it a significant rise in the number of security advisories. Log4Shell certainly provided ample evidence of that. But all this work also leaves room for error. As such, it would undoubtedly be great to make this task easier and to automate those processes.

It just so happens that help may be on the way. It comes in the form of “Common Security Advisory Framework” (CSAF) 2.0, a new open-source standard for security advisories that makes advisories machine-readable. It has been developed by OASIS, a consortium of companies and organizations including Siemens, Microsoft, Dell, Oracle, Cisco, and the German Federal Office for Information Security (BSI). “As the Log4Shell vulnerability has shown us once again – with many advisories being published in a short timeframe – we learned that the status quo is not sustainable,” says Tobias Limmer, Principal Security Consultant at Siemens Technology, Siemens’sR&D unit. “We need automated processes to meet today’s challenges.”

As the name indicates, there was a CSAF before the current 2.0 version, released in 2011. Back then, the total number of advised vulnerabilities – around 4,200 worldwide per year – was only a fifth of the current number. So, the need to automate various processes tied to advisories was not as great. Today, that has changed. And yet, more advisories don’t mean the software is decreasing in quality. The rising number of published (and fixed) vulnerabilities is rather due to more transparency, digitalization, more testing, and also regulations.

But it’s not just the sheer number that poses a challenge. At the moment, there are numerous ways of notifying customers of new advisories, be it via email, Twitter, notification boards, websites aggregating security information (for example the Cybersecurity & Infrastructure Security Agency), or automated tools. Many of those entities compiling advisories are not up to date. On top of that, they regularly introduce errors. The use of different file formats increases complexity, and even within the same format, information often is not laid out in a standardized order.

CSAF 2.0 addresses these issues, as it can be automatically retrieved directly from manufacturers. It also allows experts to create a unified list of vulnerabilities that can be matched to the company’s assets. “The benefits are clear,” says Limmer. “An arduous, potentially error-laden process is automated, reaction times are faster, and overall security is increased.”

A new standard for advisories is just the beginning for sure. Siemens already offers it to its clients, as well as asking suppliers to do the same. Other companies are already in the process of adopting it. And the more organizations that follow suit, the easier the process of handling security advisories becomes. “We are somewhat still in the advertising phase,” says Thomas Pröll, head of the Siemens ProductCERT Vulnerability Handling team. “But it shouldn’t be a hard sell – the advantages are obvious.”

That is not to say that there’s nothing else to be done; the CSAF standard is just the beginning. For example, future advisories could not only address affected products, but specific configurations, too. Also, a hub for relevant CSAF 2.0 advisories could be created – a goal currently pursued by the BSI, who is working in close collaboration with vendors like Siemens on this task. Ultimately, the plan is to have an app that retrieves CSAF documents and automatically maps them to a company’s assets. Then a security expert, working faster and in a more targeted way than currently possible, can decide which devices need to be patched. “Making these decisions on what and when to patch most likely won’t be automated any time soon,” says Pröll. “Industrial assets are too complex, and interruptions have to carefully planned. But everything that makes this process more reliable, secure, and faster is welcome – and CSAF 2.0 does just that.”

Hubertus Breuer

April 2022