New ICS Vulnerabilities report highlights trends and increases in CVEs, despite fewer CISA advisories

The ICS Advisory Project (ICS[AP]) and Industrial Data Works published Wednesday their inaugural annual ICS Vulnerabilities report, which reveals a slight decrease in the total number of U.S. CISA (Cybersecurity and Infrastructure Security Agency) ICS Advisories in 2023 compared to the previous year. This trend of decreased advisories was also observed in the second half of 2023. Specifically, the number of CISA ICS advisories in the first half of 2023 was 1.6 percent lower than in the first half of 2022, although updated advisories are not included in this count.

The report revealed that the total number of reported CVEs in CISA ICS Advisories for 2023 has increased compared to 2022. This is a significant increase compared to 2023 and an overall increase in the number of CVEs in CISA ICS advisories from 2022. This helps identify and assess significant trends in Common Vulnerabilities and Exposures (CVEs), providing insights for operational technology (OT) and ICS asset owners.

In 2023, the manufacturing and energy sectors were the most impacted by CISA ICS advisories, accounting for 44 percent and 20 percent of total reported CVEs, respectively. Additionally, an analysis of advisories from other vendors and CERTs (not included in CISA ICS advisories but identified in ICS[AP] weekly summaries) revealed that the energy sector represented 25 percent and manufacturing 15 percent of the total CVEs for the year.

Another key detail that the ICS Vulnerabilities report disclosed is that based on CISA ICS advisories mitigation data, during 2023, no patch or remediation currently available from the vendor (this is a slight increase from 4 percent in 2022 considering 380 CISA ICS advisories were released in 2022 and 381 in 2023). When considering individual CVEs, this number greatly increases.

Based on CVE Common Platform Enumeration (CPE) and CISA ICS Advisory Mitigations data, there has been a slight decrease in the percentage of Software action types for ICS CVEs in 2023, the ICS Vulnerabilities report revealed. “Firmware action types increased compared to the 2022 count reported in SynSaber 1H2022 and 1H2023 ICS Vulnerabilities reports. Hardware and Other action types for 2023 increased compared to 2022. Hardware and Other Actions were compiled from ICS[AP] data for 2022, which were not broken out in SynSaber 2022 ICS Vulnerabilities Reports. In 2023, there were 268 duplicate CVEs for different CISA ICS advisories for different vendors, increasing action type counts.”

As the CISA ICS advisories contained CVEs dating back to 2007, the ICS Vulnerabilities report said “We conducted an in-depth review of CPE data for the 2007 – 2023 CVEs that were identified in 2023 CISA ICS Advisories. We observed a gradual increase in vulnerabilities associated with Hardware over these years before dropping in 2023. CPEs help us understand the vulnerabilities affecting Operating Systems used by ICS products, which peaked in 2021 but decreased significantly from 2022 to 2023. Application-related vulnerabilities also gradually increased except for 2021, before decreasing to numbers lower than in 2020.”

The report also revealed that most CVEs reported during 2023 were reported by OEMs and security vendors. “In 2022, the most prevalent CVE reporters were Security Vendors. In 2023, there appears to be more CVE reporting from Academic Research teams than from Government and Asset Owners combined. The total number of CVEs reported by Independent Researchers slightly dropped in 2023 compared to 2022. There was a significant decrease in CVE reporting by Consulting Firms in 2023.”

The ICS[AP] data on the Top 10 Affiliated Research Organizations shows Siemens as the leading OEM producing CVEs through the first half of last year. They are followed closely by independent researchers (in aggregate) and Trend Micro Zero Day Initiative (ZDI) as the top three research organizations. This has remained the same as when reported in the 1H2023 ICS Vulnerabilities research paper.

In 2023, the combined ICS Vulnerability Disclosures originated mostly from OEMs and Security Vendors for each country, showing the United States and Germany leading this effort. The number of independent researchers disclosing vulnerabilities impacting ICS vendor products was slightly less in 2023.

The report added that “In the 2H2023 ICS Advisory Project, monitoring of multiple resources of CVE data found that there were several ICS vulnerabilities that did not become or correlate to CISA ICS Advisories.”

The ICS Vulnerabilities report also highlighted that in 2023, Siemens products topped the list of those most affected by the Top 5 MDSW, closely followed by products from Rockwell Automation and Hitachi Energy. CISA has warned that these vulnerabilities pose significant risks to software integrity. They can potentially enable attackers to seize control of a system, pilfer data, or disrupt application functionality.

In the 2023 CISA ICS advisories, the report said that there were 13 vendors for products with options for asset owners to migrate to new hardware/software/firmware or implement a workaround for the ‘forever-day’ vulnerability. Four vendor products with ‘critical’ and ‘high’ forever-day vulnerabilities have only the option to migrate to updated hardware/software, and two products have the option of an update or implementing a workaround. Two ‘Critical’ and ‘high’ severity forever-day vulnerabilities offer either a hardware/software upgrade or an available workaround. 

The list of vendors and products affected by forever-day vulnerabilities include Dover Fueling Solutions MAGLINK LX – Web Console Configuration; Socomec MOD3GP-SY-120K; Siemens SIMATIC PCS 7, SIMATIC S7-PM, SIMATIC STEP 7 V5;  SAUTER Controls Nova 200-220 Series (PLC 6); QNAP VioStor NVR; Delta Electronics DOPSoft; and Hitachi Energy Lumada Asset Performance Management (APM) Edge. 

It also covered TEL-STER Sp. z o. o. TelWin SCADA WebInterface; Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x series products;  Siemens OPC Foundation Local Discovery Server; Schneider Electric Easy UPS Online Monitoring Software; Zebra Technologies ZTC Industrial ZT410, ZTC Desktop GK420d; Franklin Electric Fueling Systems Colibri; Hitachi Energy FOXMAN-UN, UNEM Products; and Rittal CMC III. 

The report also identified that there were two very old CVEs identified in two CISA ICS advisories in 2023 affecting Siemens and Hitachi Energy products with High and Medium vulnerabilities. “CVE-2007-5846 is a vulnerability in SNMP agent (snmp_agent[dot]c) affecting Siemens SCALANCE X200 IRT Products all versions prior to V5.5.0. CVE-2011-1207 is a vulnerability in ActiveBar ActiveX control distributed in ActBar[dot]ocx 1.0.3.8 in Hitachi Energy SYS600 product. Both vendors disclosed these vulnerabilities and mitigations in 2023, which is interesting, considering these two vulnerabilities were disclosed over a decade ago,” it added. 

In conclusion, the ICS Vulnerabilities report identified that the ongoing influx of CVEs reported through CISA ICS advisories, and the ones identified through the ICS Advisory Project, indicate a trend likely to persist in the future. “Identifying which CVEs are unlikely to be resolved helps streamline the focus of vulnerability remediation efforts. Efficient prioritization of CVEs and other vulnerabilities draws upon a combination of resources, including CISA ICS Advisories and various officially recognized and community-driven outlets.” 

It’s imperative to assess vulnerabilities within the specific contexts of their respective environments. Given the unique configurations and purposes of individual OT environments, the susceptibility to exploitation and potential impact can vary significantly among organizations.

Earlier this week, industrial cybersecurity firm Dragos disclosed that it has been tracking activity by the Voltzite threat group, which overlaps with Volt Typhoon, since early 2023. The group has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.