A look at the ICS vulnerabilities CISA has catalogued in 2H 2022.
Analysis of ICS CVEs catalogued in 2H, 2022.
SynSaber has published a report looking at industrial control system (ICS) vulnerabilities catalogued by the US Cybersecurity and Infrastructure Security Agency (CISA) in the second half of 2022.
More than a third of vulnerabilities don’t have a patch available.
The researchers found that 35% of vulnerabilities disclosed in 2H 2022 don’t currently have a patch available, and 33% will require a firmware update. Additionally, 43% of vulnerabilities were discovered by security researchers rather than the equipment manufacturers. The researchers also note that 22% of the vulnerabilities “require local or physical access to the system in order to exploit (up from 23% during the first half of the year).”
Difficulties of patching ICS assets.
SynSaber offers the following observations about the ICS patching process:
“Generally speaking, it is less complicated to apply a software patch than a firmware upgrade, and protocol changes affect not just a single device but entire architectures. A significant number of industrial devices can only be updated via a firmware image flash that may contain changes to functionality in addition to remediating security, let alone the risk of “bricking” a device during the process.
“Even if there is a software or firmware patch available, asset owners still face a number of constraints. One cannot simply patch ICS. Original Equipment Manufacturer (OEM) vendors often have strict patch testing, approval, and installation processes that delay any updates. Operators must consider interoperability and warranty restrictions to environment-wide changes in addition to waiting for the next maintenance cycle.”