A third of ICS vulnerabilities have no patch available

New research, from ICS/OT cybersecurity firm SynSaber, has analyzed over 900 CVEs reported in industrial control systems in the second half of 2022 and finds that 35 percent have no patch or remediation available.

Only 56 percent of the CVEs have been reported by the original equipment manufacturer (OEM), while 43 percent have been submitted by security vendors and independent researchers. A firmware update is required to fix 33 percent.

The research finds 28 percent of the CVEs require local or physical access to the system in order to exploit (up from 23 percent during the first half of the year). 104 of the 926 looked at (11.23 percent) require both local/physical and user interaction for the vulnerability to be successfully exploited. 230 (24.84 percent) need user interaction regardless of network availability.

The report points out that while having an awareness of vulnerabilities in ICS is important, understanding what can and cannot be done to remediate them is vital.

The report's author’s conclude:

The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease. It's important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized.

Merely looking at the sheer volume of reported CVEs may cause asset owners to feel overwhelmed, but the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, vs. which will remain 'forever-day vulnerabilities,' at least for the time being.

The full report is available from the SynSaber site.

Image credit: Scharfsinn/depositphotos.com