The number of published industrial control system (ICS) vulnerabilities has grown by almost 70% in the past three years, with over a fifth still not patched by manufacturers, according to SynSaber.
The security vendor analyzed advisories published by the US Cybersecurity and Infrastructure Security Agency (CISA) between January 1 2020 and December 31 2022 in order to understand how badly industrial plant owners are exposed.
It noted a 67% rise in the number of ICS advisories reported by CISA between 2020 and 2021 and a further 2% increase the following year.
The increase in CVEs is not a bad thing per se as it could indicate product security teams are increasing their internal reporting and public disclosure of vulnerabilities to the community, SynSaber’s report argued.
However, the lack of vendor patches may be compounding cyber risk for industrial asset owners in critical infrastructure sectors like transportation and utilities. Even when they’re available, security updates in these environments aren’t always easy to apply due to requirements around system uptime and concerns over legacy software compatibility.
“It’s key to remember that one does not simply patch ICS. In addition to the operational barriers to entry, there are a number of practical challenges to updating industrial systems. ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols,” said Ron Fabela, SynSaber CTO.
“Each has a level of risk that should be considered when prioritizing activities. For example, upgrading device firmware may come with a significant risk of ‘bricking’ the system, which could be hard to recover.”
However, while 21% of CVEs reported over the past three years currently have no patch available, it should also be noted that not all vulnerabilities are easily exploitable. SynSaber explained that an average of around a quarter of CVEs published over the period require user interaction to exploit.
“Due to the nature of industrial control system operations and architecture, network accessibility and potential user interaction both have a lower probability of occurrence vs. Enterprise IT,” the report claimed.
That said, system vulnerability exploitation isn’t the only way threat actors can cause trouble for asset owners.
“Given the nature of industrial built-in security, or the lack thereof, access to the industrial network equals control. Vulnerabilities are not often needed to be exploited in order to attack a process,” the report argued.