Over a third of ICS vulnerabilities have no patch available

New research from SynSaber, along with the ICS Advisory Project, into industrial control operational technology system vulnerabilities finds that 34 percent of the CVEs reported in the first half of 2023 currently have no patch or remediation available from the vendor.

This compares to the 35 percent that had no fixes in the second half of 2022 but is a significant increase from the 13 percent in the first half of last year.

"Every OT environment is unique and purpose-built for a specific mission," says Jori VanAntwerp, SynSaber co-founder and CEO. "As a result, the likelihood of exploitation and impact will vary greatly for each organization. One thing is certain: the number of CVEs reported is likely to continue increasing over time or at least remain steady. It is our hope that this research helps asset owners prioritize when and how to mitigate vulnerabilities in accordance with their own environment."

On a positive note, the total number of CISA ICS Advisories has decreased by 9.8 percent when compared to the first half of 2022. The total number of CVEs reported via CISA ICS Advisories has also decreased, although very slightly, at a rate of 1.6 percent when compared to the first half of 2022.

Manufacturing and energy are the two critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of 2023 at 37.3 percent and 24.3 percent, respectively.

"We're thrilled to publish this research along with SynSaber," says Dan Ricci, founder of the ICS Advisory Project. "Educating and helping companies mitigate vulnerabilities as new trends and findings emerge over time is an ongoing challenge, but as a community, we must come together to better prepare and defend our world's critical infrastructure."

You can get the full ICS Vulnerabilities report from the SynSaber site.

Image credit: Scharfsinn/depositphotos.com