Every now and then, one of our members contacts us to say that they have received a vulnerability report from a manufacturer but aren’t sure what it means for them.

When the report relates to elements of critical energy infrastructure, that can be worrying. Am I affected? How serious is the vulnerability, how easy to patch? What could be the consequences? Not being able to answer those questions is likely to make any utility executive anxious.

When we receive these calls, we do our best to help our members decode exactly what the report means in practice.

Our penetration testers have access to our unique testing environment as well as real-world knowledge of how devices are really used in the field. Sometimes we even have the devices in question in the office! Using these resources, we can unpack what the vulnerability is and how serious the threat is and help our members mitigate it.

Sometimes a report that sounds alarming at first turns out to be a relatively minor issue, other times technical language obscures a much more serious problem.

Communication is absolutely vital for successful cyber security and one of our core principles as a network is to facilitate knowledge and information sharing across our membership. Often, utilities will use similar systems and equipment so an understanding of vulnerabilities in-common is important.

That’s why we are making our decoded reports available to all members via the membership portal. Currently, members can access reports relating issues affecting specific RTUs (remote terminal units) and protection relays. In future, we will produce more based on member requests and expressions of interest.

As vulnerabilities in ICSs (industrial control systems) increase, it’s vital that utilities understand when and how they are affected.

So, if you’re a member (or thinking of becoming one!) and have a suggestion for a vulnerability report for us to help with, get in touch.