An interesting and potentially important technical paper was published near the year end holidays and didn’t get the attention it deserved: Vulnerability Forecasting: In Theory and Practice by Éireann Leverett, Matilda Rhode and Adam Wedgbury of Airbus. The authors make the bold claim that is possible to predict the number of CVE’s from the NVD a year in advance within 3% of the actual value.

It is a technical paper so they go over prior research, the data they used, and their formulas / model for forecasting. And it is very impressive that Figure 14, see below, in the paper includes their forecast for 2021, so the model can be judged 

No alt text provided for this image

Why is this interesting and important for security teams, including OT security teams? Because with this information the teams should be able to forecast the workload to succeed in the security patching they are committing to. From the Motivation section of the paper:

The predicted volume of CVEs can be used both to inform patch strategies (priotitisation) but also resource require- ment estimatation. Advanced planning of required resources for patching and vulnerability management would be valuable even if maximum optimisation of resources to risk reduction is not achievable…. Which is to say, a competent risk manager can manage the uncertainty if it is stated carefully in the forecasts.

As I’ve written many times, it is a mistake to prioritize patching all, or even most, vulnerabilities in ICS (see ICS-Patch, What To Patch When). However, whatever you select as your ICS patching policy, you should meet this policy. Policies are not desires or goals. They are filled with must and shall mandatory requirements that must be met and should be audited. 

The gap between the patching policy and patching reality is quite large for most asset owners, certainly in OT and often in IT as well. This is most often due to a lack of the appropriately skilled resources and tools to achieve the policy. A policy that may be unwise based on an efficient risk reduction criteria, is set because the level or resources that are bound to fail are considered acceptable.

While the chart above is for the population of vulnerabilities for a year, the paper discusses how this same model can be used to predict the vulnerabilities for an application, asset, or system. The authors admit the predictions could be less accurate for an ICS that has not been subject to as much scrutiny. From the paper: “It is challenging for the model to predict something entirely new which has either not previously existed or has been at zero for a long time.” This is becoming less of an issue as even the DCS that have avoided the researchers are now seeing vulnerabilities reported.

The next step is to understand the level of resources required to apply the forecasted security patches. This will be higher for ICS than for most enterprise systems and assets due to the well worn issue of fragility. And of course any mission critical “T” requires the proper testing and rollback/recovery capability for patches that fail. With the level of effort known, then asset owners can realistically evaluate the chance of their security patching policy being met.