According to SynSaber, the number of disclosed industrial control system (ICS) vulnerabilities has grown by almost 70% over the past three years, and more than one-fifth are still unpatched by manufacturers.
Security vendors analyzed recommendations published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) between January 1, 2020 and December 31, 2022 to determine how dangerous industrial plant owners are. I understood what I was exposed to.
There was a 67% increase in the number of ICS advisories reported by CISA between 2020 and 2021, and another 2% increase in the following year.
An increase in CVE is not a bad thing street SynSaber’s report claims it may indicate that product security teams are increasing internal reporting and exposing vulnerabilities to the community.
However, the lack of vendor patches may exacerbate cyber risks for industrial asset owners in critical infrastructure sectors such as transportation and utilities. Even when available, security updates in these environments are not always easy to apply due to system uptime requirements and legacy software compatibility concerns.
“It’s important to remember that we don’t just patch ICS. In addition to operational barriers to entry, there are many practical challenges in updating industrial systems. Not only are there software components to update, but there are also device firmware and architecture challenges that may involve updating entire protocols.”
“Each has a level of risk to consider when prioritizing activities. there is. “
However, it should also be noted that while 21% of CVEs reported in the last three years do not currently have patches available, not all vulnerabilities are easily exploitable. SynSaber explained that on average about a quarter of the CVEs published during this period required user interaction to exploit.
“Due to the operational and architectural nature of industrial control systems, network accessibility and potential user interactions are less likely than in enterprise IT,” the report claims.
However, exploiting system vulnerabilities is not the only way attackers can cause problems for asset owners.
“Given the nature, or lack thereof, of industrial embedded security, access to industrial networks equates to control. Exploiting vulnerabilities to attack processes is not often necessary,” the report claims. .
