CISA released two Industrial Control Systems (ICS) advisories on August 15, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-23-227-01 Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon
• ICSA-23-227-02 Rockwell Automation Armor PowerFlex

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-38180 Microsoft .NET Core and Visual Studio Denial of Service Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s August 2023 Security Update Guide and apply the necessary updates.

CISA released two Industrial Control Systems (ICS) advisories on August 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-23-220-01 Schneider Electric IGSS
• ICSA-23-220-02 Hitachi Energy RTU500 series

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Today, CISA released a strategic plan to lay out how we will fulfill our cybersecurity mission over the next three years. The CISA Cybersecurity Strategic Plan aligns the following nine objectives to specific enabling measures and measures of effectiveness to drive accountability:

• Increase visibility into, and ability to disrupt, cybersecurity threats and campaigns
• Coordinate disclosure of, hunt for, and drive mitigation of critical and exploitable vulnerabilities
• Plan for, exercise, and execute joint cyber defense operations and coordinate the response to significant cybersecurity incidents
• Understand how attacks really occur—and how to stop them
• Drive implementation of measurably effective cybersecurity investments
• Provide cybersecurity capabilities and services that fill gaps and help measure progress
• Drive development of trustworthy technology products
• Understand and reduce cybersecurity risks posed by emergent technologies
• Contribute to efforts to build a national cyber workforce

Learn more about CISA’s Cybersecurity Strategic Plan at https://www.cisa.gov/cybersecurity-strategic-plan.