This includes assigning CVE IDs to vulnerabilities found in the company’s own products as well as any third-party products not covered by another CNA that Dragos finds through its ongoing research to help organizations protect their ICS/OT systems
Dragos has announced it has been designated by the CVE Program as a CVE Numbering Authority (CNA). As a CNA, Dragos is authorized to assign CVE IDs to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. This includes assigning CVE IDs to vulnerabilities found in the company’s own products as well as any third-party products not covered by another CNA that Dragos finds through its ongoing research to help organizations protect their ICS/OT systems.
As cyber threats to critical infrastructure and industrial organizations increase, it is critical that ICS/OT vulnerabilities are identified, assigned, and published consistently to the CVE List. The addition of Dragos as a CNA will support the industrial community in getting the timely, accurate, and actionable information they need.
“Dragos has the largest and most experienced team of OT threat hunters, researchers, and analysts in the world,” said Ben Miller, vice president of services at Dragos. “Vulnerabilities are already incorporated into the Dragos Platform, but the CNA designation will enhance our ability to quickly, clearly, and accurately communicate vulnerability information to the broader industrial community.
Dragos OT-CERT (Operational Technology-Cyber Emergency Readiness Team)—a free cybersecurity resource for industrial asset owners and operators designed to address the OT resource gap that exists in industrial infrastructure—will coordinate with original equipment manufacturers (OEMs) regarding disclosures for vulnerabilities discovered by Dragos threat intelligence researchers, as well as cyber threats detected by Dragos targeted at the OEMs’ products. OEM partnerships are critical to coordinated vulnerability disclosures and effective threat response to protect and support industrial infrastructure in the escalating cyber threat environment. Newly assigned CVE IDs and corrections to existing inaccurate or incomplete CVE records will be publicly disclosed through OT-CERT in accordance with Dragos’s Vulnerabilities Policy.
The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders. It is an international, community-based effort with a mission to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Dragos joins a growing list of 237 global trusted partners across 35 countries committed to strengthening the global cyber security community through discovering and sharing valuable cyber intelligence.