Why Data Quality in CSAF Matters for OT Cybersecurity
In the world of OT cybersecurity, where vulnerabilities can compromise critical infrastructure, data quality is paramount. The Common Security Advisory Framework (known as CSAF) is an important tool in this space, enabling security teams to quickly access machine-readable, structured information about vulnerabilities and their remediations.
However, for CSAF to be truly effective, the data provided in a vendor advisory must be consistent and accurate.
In this article, we will explore why data quality in CSAF is crucial and how vendors and OEMs can adopt best practices to ensure that CSAF data is accurate, accessible, and actionable.
Why OEMs and Vendors Should Adopt the CSAF Framework
It’s clear that usage of CSAF is beneficial to OT and cybersecurity software. But why should OEMs and Vendors adopt this approach?
First and foremost, CSAF provides improved product security. When vendors provide structured, machine-readable advisories, they not only help their customers act faster but also ensure that the data is actionable. This directly enhances the security posture of the OT systems their products are part of.
Vulnerabilities in OT systems can be exploited in a matter of days. The quicker security teams can access and act on vulnerability information, the less time attackers have to exploit those vulnerabilities.
Secondly, creating this structured format can reduce information overload for both those developing the advisory and end customers. Although changing formats can add some upfront costs and change management, moving to this more streamlined, modern framework can give OEMs long-term gains in productivity.
Cybersecurity professionals are also overwhelmed with information. Between patches, vulnerability reports, and security advisories, it’s easy for critical details to be missed. CSAF reduces the amount of manual work needed to understand vulnerability reports and allows for faster, more accurate decision-making.
The Correct Usage of the CSAF Framework
But in order to truly benefit from CSAF, vendors need to use it correctly. Here’s what that looks like in practice:
- Version Information: One of the most critical aspects of CSAF is including versioning information within the vulnerability description. In OT environments, connectivity to external links may be limited, so it's important for the version information to be embedded directly in the advisory where possible.
- Properly Using the URL Field: When more information is necessary, vendors should use the URL field in CSAF to provide direct links to patches or further details on the vulnerability. A link to a general page is not enough. Customers need to access actionable data immediately. For instance, a direct link to the patch download page or the specific remediation details can save time and ensure that the appropriate steps are taken.
- Filling the Schema Properly: The CSAF schema is designed to help vendors clearly communicate vulnerabilities and remediation steps. It’s essential to read through the schema and place data in the correct fields.
Inconsistencies Within CSAF Feeds
While CSAF is an invaluable tool, inconsistencies in how it is used can create challenges for security teams trying to respond to vulnerabilities. For example, we recently found an issue when dealing with a vulnerability related to EcoStruxure™ Control Expert. The trademark symbol (TM) was used inconsistently—once with the symbol and once with just the letters “TM“, making it more difficult to identify that both references were pointing to the same product.
Similarly, we have also encountered vendors who will list out multiple products as if it were a single product name. For instance, “SIMATIC HMI Comfort Panels, HMI Multi Panels, HMI Mobile Panels (incl. SIPLUS variants)” refers to three separate product families. However, in later advisories “SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants)” is mentioned. Ideally, vendors would follow a standardized convention of what they designate as a singular product vs. a product family.
Ideally, a product tree would follow this structure: product family -> product name (the individual product) -> product version -> etc.
Inconsistent naming conventions like this can make it harder for security teams to track vulnerabilities and accurately assess the risk across their systems. Vendors need to ensure that naming conventions and product identifiers are consistent across all CSAF files to avoid confusion and improve the overall effectiveness of the framework.
Examples of Best and Worst CSAF Implementation
To highlight the importance of following best practices, let’s look at how a few different vendors implement CSAF:
- Worst Case: Cisco has been known to link to a general page in their CSAF advisories, so users are still left to manually search for the actual patch. This can lead to unnecessary delays and confusion, especially when critical patches are required to protect OT systems from exploitation.
- Better: Oracle provides a lot of great data in their CSAF files, but they include a URL that requires login for information on the patched version. While this is a step up from Cisco’s approach, requiring login credentials still adds friction. Ideally, the patched version would be included directly in the field.
- Best Case: Siemens and Schneider provide complete, actionable data: they include version details and direct links to patch downloads. This makes it easier for security teams to quickly assess the situation and apply the necessary fixes without delay.
Conclusion: the Effectiveness of CSAF is Dependent on Data Quality
The adoption of the CSAF framework has become essential for cybersecurity in critical infrastructure. But why implement a framework like this if you don’t use it properly? To unlock the full potential of CSAF, vendors and OEMs must ensure high-quality, accurate, and complete data. By adhering to best practices in how they report vulnerabilities, provide patch information, and maintain consistency, vendors enable faster response times, better vulnerability management, and ultimately, improved security across OT environments.
