Highlights –
- It analyzes CVEs, published by the CISA in the first half of 2022, to determine the severity of vulnerabilities, the resulting impact on organizations, and who is reporting these vulnerabilities to the market and CISA.
- Around 13% of the CVEs identified in 2022 have no patch or correction currently offered by the vendor. Also, 34% require a firmware update.
SynSaber, an early-stage ICS/OT cybersecurity and asset monitoring company, announced the release of the first Industrial Control Systems (ICS) Vulnerability Report H1 2022. It analyzes the Common Vulnerabilities and Exposures (CVEs), published by the Certified Information Systems Auditor (CISA) in the first half of 2022, to determine the severity of vulnerabilities, the resulting impact on organizations, and who is reporting these vulnerabilities to the market and CISA.
It is unlikely that the number of CVEs notified via CISA ICS Advisories and other entities would decline. Asset owners and those safeguarding critical infrastructure must be aware of when remediations are available, how to implement them, and their order of priority.
Key Findings:
- Around 13% of the CVEs identified in 2022 have no patch or correction currently offered by the vendor. Also, 34% require a firmware update.
- The Original Equipment Manufacturer (OEM) reported 56% of the CVEs and security vendors, and independent researchers reported the other 42%. A government CERT and an asset owner reported the remaining two per cent.
- 23% of the CVEs need physical or local system access to exploit.
- With organization and vendor planning, 41% of the CVEs reported in 2022 can and should be given priority and addressed first.
Experts’ Take
The CTO of SynSaber, Ron Fabela, said, “The industry is being flooded by vulnerability disclosures creating panic within the security community to patch and remediate each point of exposure, which is an impossible feat. This report aims to provide a real view to the ICS industry on which CVEs teams should be paying attention to and which can be taken on as an acceptable amount of risk for the organization.”