SynSaber analyzes ICS vulnerabilities for improved understanding, remediation of future exposures

Researchers at industrial cybersecurity firm SynSaber broke down the reported Common Vulnerabilities and Exposures (CVEs) during the first half of 2022 to better understand and remediate future vulnerabilities. It analyzes remediation categories, including what can be patched with software, firmware update, or something more complex requiring protocol or whole system changes. The research also looked into the attack vector requirements that can provide critical insights for teams to assess these and future CVEs as they are reported.

Out of the 681 CVEs reported through the Cybersecurity and Infrastructure Security Agency (CISA) ICS advisories in the first half of this year, SynSaber said in its research report titled “ICS Vulnerabilities – SynSaber Analysis, First Half of 2022” that 13 percent have no patch or remediation currently available from the vendor and 34 percent require a firmware update. “Of the CVEs reported thus far in 2022, 41 percent can and should be prioritized and addressed first (with organization and vendor planning),” it added.

While 56 percent of the CVEs have been reported by the original equipment manufacturer (OEM), SynSaber researchers determined that security vendors and independent researchers have submitted 42 percent, and the remaining 2 percent were reported directly by an asset owner and a government CERT. Additionally, they added that 23 percent of the CVEs require local or physical access to the system to exploit.

To identify the low probability of exploitation, SynSaber researchers said on Thursday that organizations could “determine if a vulnerability is practically exploitable within your ICS environment by looking at certain key measures to identify the low probability of exploitation. Network accessibility and potential user interaction both have a lower probability of occurrence in ICS vs. Enterprise IT.”

If a CVE cannot be patched, the practical fix actions available could be either software, firmware, or protocol-based, SynSaber said. The vulnerability affects a device or application for software action and can be patched with a software update. Moreover, the software patches only update the specific application.

When it comes to firmware, the vulnerability affects a device or application and can only be patched with a firmware update, the report said. However, firmware updates impact the entire device. Protocol updates may require numerous system and subsystem upgrades to maintain interoperability. Or there is no fix, the dreaded ‘forever-day’ that the vendor says will never be patched.

“Generally speaking, even if there is a software or firmware patch available, asset owners are still required to work with the affected Original Equipment Manufacturer (OEM) vendor and wait for official approval to patch,” the SynSaber report said. “This is due to complicated interoperability and warranty constraints that apply to industrial control systems. Just because a patch exists doesn’t mean an organization can immediately apply it. Aside from OEM restrictions, organizations must determine the operational risk and follow internal configuration management policies and procedures,” it added.

SynSaber researchers said that ​​the most prolific CVE generator was Team Siemens, with 230 CVEs, or one-third of the total reported for the first half of 2022. “OEMs reported a combined total of 384 CVEs, or 56% of all reported. OEMs are the product vendors in which the vulnerabilities exist, and their security teams have access to the business units, software, and developers of the vulnerable systems. Therefore, they should typically be generating the most meaningful and accurate CVEs out of the bunch,” it added.

The report also determined that 152 vulnerabilities, or 22.32 percent, were listed as ‘critical,’ while 289 vulnerabilities, or 42.44 percent. were tagged as ‘high.’ Additionally, 154 (22.61 percent) of reported CVEs require local or physical access to the system in order to exploit. “If you have local/physical access, often no exploit is required. The same can be said for most network-based CVEs, although it does not diminish the importance of the CVE itself,” the report added. 

“The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease,” according to the report. “It’s important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized.”

SynSaber researchers also said that merely looking at the sheer volume of reported CVEs may cause asset owners to feel overwhelmed, “but the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, vs. which will remain ‘forever-day vulnerabilities,’ at least for the time being. SynSaber plans to continue monitoring and analyzing reported CVEs, and we will update this research as new trends and key findings arise.”

Earlier this week, BitSight identified six severe vulnerabilities in the MiCODUS MV720 GPS tracker designed for vehicle fleet management and theft protection for consumers and organizations. Exploiting these vulnerabilities could have disastrous and even life-threatening implications for the consumers, companies, government agencies, and law enforcement sectors that deploy these devices. As a result, the CISA collaborated with BitSight to issue a public advisory detailing the notable CVEs identified.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.