Vulnerabilities in industrial control systems are on the increase
The number of CVEs reported via ICS advisories has increased each year, with 2020-2021 seeing a 67.3 percent increase in CISA ICS CVEs, while 2021-2022 saw a two percent increase, according to a new report from SynSaber.
The growing volume of vulnerabilities highlights continued efforts to secure the ICS systems critical to a nation's energy, manufacturing, water, and transportation infrastructure. There's also a growing focus on regulation which means operators in critical infrastructure are under more pressure to analyze, mitigate, and report on new and existing vulnerabilities
"The volume of ICS vulnerabilities reported are growing at an exponential rate, creating more alert fatigue and potential apathy within the ICS/OT ecosystem," says Jori VanAntwerp, SynSaber's co-founder and CEO. "This report highlights the great work being done by manufacturers, CISA, researchers, and vendors to disclose vulnerabilities, while recognizing the need for more context around these CVEs to determine what should be patched and remediated in order to protect our national security and infrastructure."
Over the three-year period from 2020 a worrying 21.2 percent of the CVEs reported currently have no patch or remediation available. Requiring a user to interact in order to exploit the vulnerability is present in an average of one-quarter of all CVEs released since 2020 (22 percent in 2020, 35 percent in 2021, 29 percent in 2022).
"It's key to remember that one does not simply patch ICS. In addition to the operational barriers to entry, there are a number of practical challenges to updating industrial systems. ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols," says Ron Fabela, SynSaber's co-founder and CTO. "Each has a level of risk that should be considered when prioritizing activities. For example, upgrading device firmware may come with a significant risk of 'bricking' the system, which could be hard to recover."
The full report is available from the SynSaber site.
Image credit: Gorodenkoff / Shutterstock