Industrial control system (ICS) operators are disappointed with their vendors after a new study reveals that 35% of CVEs published in the second half of 2022 still do not have patches available.
Synsaber’s ICS vulnerabilities In our 2H22 report, we analyzed 926 CVEs reported through the Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the second half of 2022.
As a result, ICS asset owners have not only had to contend with an increase in published CVEs (up 36% from 681 reported in the first half), but often without vendor updates. It turns out that the system is open to the public. .
SynSaber claimed that delays were often due to the fact that “original equipment manufacturer (OEM) vendors have rigorous patch testing, approval, and installation processes.”
However, even when patches become available, ICS asset owners can struggle to update their systems in a timely manner.
“In addition to waiting for the next maintenance cycle, operators will have to consider interoperability and warranty limitations for environment-wide changes,” the report claims.
On a more positive note, SynSaber argued that only one-fifth (22%) of published CVEs in late 2022 should be prioritized for patching. This is down from 41% over the last six months.
Approximately 11% of CVEs published in the second half of 2022 will require local-user interaction for successful exploitation, and 25% will require user interaction regardless of network availability.
Patching is critical given the increasing threats targeting critical infrastructure sectors running ICS equipment, in part due to the war in Ukraine.
In a new report, Nozomi Networks claimed that manufacturing and energy will be the most vulnerable industries in the second half of 2022, followed by water and sewerage, healthcare and transportation systems.
The company said its honeypots detected 5,000 attacks against operational technology (OT) and IoT systems in July, October, and December, respectively.
Roya Gordon, OT/IoT Security Research Evangelist at Vendor, said:
“As cyber threats evolve and intensify, it is important for organizations to understand how threat actors are targeting OT/IoT and the actions required to protect critical assets from threat actors. .”
