ICS/OT Cybersecurity Firm Notes 144% Rise in CVEs Reported as ICS Advisories from 2020 to 2022
SynSaber, an early-stage ICS/OT cybersecurity and asset monitoring company, announced today the release of the company’s first Industrial Control Systems (ICS) CVE Retrospective: 3 Years of CISA Advisories, which provides insights and analysis of CISA issued CVEs over the past three years.
The number of CVEs reported via ICS Advisories has increased each year. The ever-growing volume of vulnerabilities highlights continued efforts to secure the ICS systems critical to our nation’s energy, manufacturing, water, and transportation infrastructure. But the growing focus and regulation come with additional administrative requirements for an already overstretched ICS workforce. Operators in critical infrastructure are being asked to analyze, mitigate, and report on new and existing vulnerabilities.
“The number of ICS vulnerabilities reported are growing at an exponential rate, creating more alert fatigue and potential apathy within the ICS/OT ecosystem,” said Jori VanAntwerp, SynSaber Co-Founder and CEO. “This report highlights the great work being done by manufacturers, CISA, researchers, and vendors to disclose vulnerabilities, while recognizing the need for more context around these CVEs to determine what should be patched and remediated to protect our national security and infrastructure.”
Key Findings:
- CISA Advisory numbers continue to increase: 2020-2021 saw a 67.3% increase in CISA ICS CVEs, while 2021-2022 saw a 2% increase.
- For the 3-year period, 21.2% of the CVEs reported via ICS Advisories currently have no patch or remediation available.
- Requiring a user to interact in order to exploit is present in an average of one-quarter of all CVEs released since 2020 (22% in 2020, 35% in 2021, 29% in 2022).
“It’s key to remember that one does not simply patch ICS. In addition to operational barriers to entry, there are a number of practical challenges to updating industrial systems. ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols,” said Ron Fabela, SynSaber Co-Founder and CTO. “Each has a level of risk that should be considered when prioritizing activities. For example, upgrading device firmware may come with a significant risk of ‘bricking’ the system, which could be hard to recover.”
SynSaber will provide copies of the report to attendees at the S4x23 ICS Security Conference next week in Miami, Fl., https://synsaber.com/news-and-events/s4x23-ics-security-conference/
For more information on the report, please visit: https://synsaber.com/resources/industrial-cve-retrospective-2020-2021-2022
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!