SynSaber details CVEs to be taken most seriously, others can be accepted as a part of risk management strategy

Thirty-five percent of reported Common Vulnerabilities and Exposures (CVEs) in the second half of 2022 are unpatchable or remediation currently available from the vendor, according to data released Thursday by SynSaber, an ICS/OT cybersecurity and asset monitoring company. These CVEs register an increase of 13 percent from the first six months of the year, and 33 percent required a firmware update. The report also points out that it is important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized.

“Of the CVEs reported in the second half of 2022, 22 percent can and should be prioritized and addressed first, with organization and vendor planning (this is down from 41% during the first half of 2022),” SynSaber said in its research report titled ‘ICS Vulnerabilities: SynSaber Analysis, Second Half of 2022.’ Additionally, ​​28 percent of the CVEs require local or physical access to the system to exploit, up from 23 percent during the first half of the year.

SynSaber researchers broke down over 920 CVEs released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the second half of 2022, as the sheer volume of reported ICS (industrial control system) vulnerabilities and CVEs may cause critical infrastructure asset owners to feel overwhelmed, or not know where best to begin. They identified that while “56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 43% have been submitted by security vendors and independent researchers.” 

SynSaber points out in the report that given the unique nature of ICS environments, not all vulnerabilities may be equally critical or even patched. Thus, it is important for asset owners and their security teams to break up the reported CVEs into remediation categories, such as whether it can be patched with software, a firmware update, or something more complex requiring protocol or whole system changes. They must also look at attack vector requirements that can provide critical insights for teams to assess these and future CVEs as they are reported.

The report added that “while not all CVEs may apply to your specific industrial environments, we hope that by analyzing and counting these vulnerabilities with new methods, this context can be used by all industrial security teams to better understand and remediate future vulnerabilities.”

“Year after year, there is a deluge of vulnerability disclosures in industrial control systems, often creating anxiety as the security community attempts to patch or remediate each point of exposure — an impossible feat,” Ron Fabela, CTO of SynSaber, said in a media statement. “Our goal with this report is to analyze the 920+ CVEs, and gather insights for the ICS industry regarding which CVEs should be taken most seriously and which can be accepted as a part of the organization’s risk management strategy.”

Examining the CVEs based on identifying a low probability of exploitation, SynSaber reported that it can be determined if a vulnerability is practically exploitable within the ICS environment by looking at certain key measures. Network accessibility and potential user interaction both have a lower probability of occurrence in ICS compared to enterprise IT, it added.

It revealed some of the phrases to look for in ICS advisories include ‘without validation, an admin user could be tricked to install a malicious package, granting root privileges to an attacker,’ ‘successful exploitation of this vulnerability could allow a malicious user to trick a legitimate user into using an untrusted website,’ and ‘allowing users with SYSTEM/ROOT/ADMIN/ELEVATED level privileges to perform $ACTION.’

The report proceeds to assess that while having an awareness of vulnerabilities in ICS is important, understanding what can and cannot be done to remediate is vital. Some of the potential ‘fix’ actions could be related to software, firmware, or protocol. 

In the case of software, the vulnerability affects a device or application and can be patched with a software update. Software patches only update the specific application. When it comes to firmware, the vulnerability affects a device or application and can only be patched with a firmware update. Firmware updates impact the entire device. For protocol, the vulnerability affects an entire system or architecture and may require numerous system and subsystem upgrades to maintain interoperability. 

SynSaber also added the fact that “perhaps there is no fix, the dreaded ‘Forever-day Vulnerability’ that the vendor says will never be patched.”

The report also said that generally speaking, it is less complicated to apply a software patch than a firmware upgrade, and protocol changes affect not just a single device but the entire architecture. “A significant number of industrial devices can only be updated via a firmware image flash that may contain changes to functionality in addition to remediating security, let alone the risk of ‘bricking’ a device during the process,” it added. 

Even if there is a software or firmware patch available, asset owners still face several constraints, the researchers disclosed. “One cannot simply patch ICS. Original Equipment Manufacturer (OEM) vendors often have strict patch testing, approval, and installation processes that delay any updates. Operators must consider interoperability and warranty restrictions to environment-wide changes in addition to waiting for the next maintenance cycle,” they added.

SynSaber has revealed that Team Siemens was the most productive CVE generator, with 427 vulnerabilities identified through 102 ICS Advisories. The SynSaber team carefully examined and analyzed multiple Siemens advisories which included a compilation of different CVEs into one report. “For the second half of 2022, OEMs self-reported a total of 522 CVEs or 56.4% of the total found in CISA advisories. Security vendors are ramping up their research and reporting as well, along with independent researchers. Together, the two groups reported 401 CVEs or 43.3% of the total,” it added.

The remaining percentage of reported CVEs were a result of one bug reported by the Korea Internet & Security Agency (KISA) and two CVEs reported by ‘research institutes’ that fall outside of the normal OEM or security vendor categories.

Twenty-five percent of CVEs reported in the second half of 2022 require the user (operator) to do something for exploitation to occur. The report further identified that in industrial networks, access is equal to control. “While we are at the mercy of whatever the reporter and vendor assign for the CVSS Attack Vector category, 263 (28.40%) of reported CVEs require local or physical access to the system in order to exploit (was 23% for the first half of 2022). If you have local/physical access, often no exploit is required. The same can be said for most network-based CVEs, although it does not diminish the importance of the CVE itself,” it added.

In conclusion, SynSaber said that the volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease. However, it is important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized.

“Merely looking at the sheer volume of reported CVEs may cause asset owners to feel overwhelmed, but the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, vs. which will remain ‘forever-day vulnerabilities,’ at least for the time being,” the report added. 

Earlier this week, Nozomi Networks disclosed in its latest OT/IoT security report for the second half of 2022 that malicious cyberattacks on vital infrastructures like energy, hospitals, rail, and manufacturing are still happening and constitute a serious problem. The firm reports that it also tracked hacktivists causing disruptive attacks, thefts of technology source code, and use of wiper malware.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.