Over a Third of Recent ICS Bugs Still Have No Vendor Patch

Written by

Industrial control system (ICS) operators are being let down by their vendors, after new research revealed that 35% of CVEs published in the second half of 2022 still have no available patch.

SynSaber’s ICS Vulnerabilities report for H2 2022 analyzed the 926 CVEs reported via Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the second half of 2022.

It found that, not only have ICS asset owners had to contend with an increase in published CVEs – up 36% from the 681 reported in the first half of the year – but in many cases their systems are exposed due to a lack of vendor updates.

SynSaber argued that delays are often due to the fact that “Original Equipment Manufacturer (OEM) vendors often have strict patch testing, approval and installation processes."

However, even when patches are available, ICS asset owners can struggle to update systems in a timely manner.

“Operators must consider interoperability and warranty restrictions to environment-wide changes in addition to waiting for the next maintenance cycle,” the report argued.

On a more positive note, SynSaber claimed that just a fifth (22%) of the CVEs published in the second half of 2022 should be prioritized for patching, down from 41% in the previous six months.

That’s down in part to the probability of exploitation: it claimed around 11% of CVEs published in H2 2022 require local and user interaction for successful exploitation, while 25% require user interaction regardless of network availability.

Patching is critically important, given the uptick in threats targeting critical infrastructure sectors which run ICS equipment, driven in part by the war in Ukraine.

Nozomi Networks claimed in a new report that manufacturing and energy were the most vulnerable industries in the second half of 2022, followed by water/wastewater, healthcare and transportation systems.

The firm said its honeypots detected 5000 attacks on operational technology (OT) and IoT systems in each of July, October and December.

“Railways, in particular, have been subject to attacks, leading to the implementation of measures designed to protect rail operators and their assets,” explained the vendor’s OT/IoT security research evangelist, Roya Gordon.

“As cyber-threats evolve and intensify, it is important for organizations to understand how threat actors are targeting OT/IoT and the actions required to defend critical assets from threat actors.”

What’s hot on Infosecurity Magazine?