SynSaber details vulnerability trends within critical infrastructure, as total number of ICS advisories drop

Growing regulation of critical infrastructure and the ICS (industrial control systems) that constitute them, there is increasing emphasis on maturing cybersecurity and operations, resulting in a greater focus on vulnerability management, industrial asset and network monitoring company SynSaber, in collaboration with the ICS Advisory Project, disclosed Wednesday. Furthermore, data disclosed that the total number of ICS advisories released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has decreased by 9.8 percent compared to the first half of last year. 

In the bi-annual ICS Vulnerabilities report published Wednesday, SynSaber research outlines the entities that report the majority of ICS-related CVEs (common vulnerabilities and exposures), identifies the critical infrastructure sectors most likely to be impacted, and provides information on the status and severity of the identified vulnerabilities. Additionally, data disclosed that targeting and exploitation of vulnerabilities within critical infrastructure in the U.S. have become more common.

“Every OT environment is unique and purpose-built for a specific mission,” Jori VanAntwerp, SynSaber co-founder and CEO, said in a media statement. “As a result, the likelihood of exploitation and impact will vary greatly for each organization. One thing is certain: the number of CVEs reported is likely to continue increasing over time or at least remain steady. It is our hope that this research helps asset owners prioritize when and how to mitigate vulnerabilities in accordance with their own environment.”

“We’re thrilled to publish this research along with SynSaber,” according to Dan Ricci, founder of the ICS Advisory Project. “Educating and helping companies mitigate vulnerabilities as new trends and findings emerge over time is an ongoing challenge, but as a community, we must come together to better prepare and defend our world’s critical infrastructure.”

SynSaber reported that the total number of ICS advisories released by the CISA has decreased by 9.8 percent compared to the first half of last year, which could be attributed to more CVEs being listed per advisory. “In comparing the total number of CVEs appearing in CISA ICS Advisories in the first half of 2023 to those reported in 1H22, there has been a slight decrease of 1.62%.”

It also found that both the number of CVEs and total CISA ICS advisories have decreased from the first half of 2022 compared to the first half of 2023, though there has been a greater decrease in the number of advisories than the total number of CVEs. The report also pointed out this could be attributed to multiple CVEs being reported within individual ICS advisories, as CISA streamlines its alert and reporting processes. Also, there has been a slight decrease in the percentage of software and firmware action types for ICS CVEs reported in the first half of this year. 

“When evaluating threats, vulnerabilities, and potential risks, it’s important to monitor multiple sources of information to get a more complete picture of the overall landscape,” SynSaber reported. “While CISA ICS Advisories encompass large amounts of data, there are other sources that analysts, asset owners, and security researchers should monitor for vulnerability information. As an example of the importance of monitoring multiple sources for CVE data, the following is a sample of CVEs reported during the last week of June 2023 with CVSS ratings of ‘Critical’ or ‘High’ from sources outside of CISA advisories.”

SynSaber reported that in reviewing ‘critical’ and ‘high’ severity levels, there were six CISA advisories identified for ICS vendor products that reached end of life with ‘critical’ severity vulnerabilities that have no update, patch, hardware/software/firmware updates, or known workarounds. “There were ten CISA advisories for ICS vendor products that reached end of life with “high” severity levels. Six of these ten had no update or patch available. Two of these ten had no patch, upgrade, or workaround,” it added.

“In the first half of CISA-reported ICS Advisories for 2023, there were eight vendors for products with options for asset owners to migrate to new hardware/software/firmware or implement a workaround for the forever-day vulnerability,” according to the SynSaber report. “Three vendor products with ‘critical’ forever-day vulnerabilities have only the option to migrate to updated hardware/software, and one product has the option of an update or implementing a workaround. Two ‘high’ severity forever-day vulnerabilities offer either a hardware/software upgrade or available workaround.”

For the CVEs reported in the first half of this year, SynSaber confirmed that 34 percent have no patch or remediation currently available from the vendor. This number has significantly risen from 13 percent in the first half of 2022, but remained fairly consistent with the 35 percent from the second half of 2022. This could be attributed to a number of products that are no longer supported/at end-of-life. 

Manufacturing and energy were two critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of this year, registering 37.3 percent and 24.3 percent, respectively. 

Mitsubishi Electric was the vendor most impacted in the critical manufacturing sector, accounting for 20.5 percent of the impact. Following closely behind were Siemens at 18.2 percent and Rockwell Automation at 15.9 percent. In the energy sector, Hitachi Energy was identified as the vendor most likely to be impacted by CISA-reported CVEs, accounting for 39.5 percent of the cases. Following closely behind was Advantech at 10.5 percent, with Delta Electronics and Rockwell Automation both at 7.9 percent.

SynSaber also reported that OEMs remain in the lead as the top CVE reporters. Siemens, Trend Micro’s Zero Day Initiative (ZDI), and Hitachi are the top CVE reporters included in CISA ICS advisories.

The report also identified that when determining the level of risk or prioritization of a CVE in an environment, the probability of successful exploitation for the CVE should be considered. It showcased data that there are a number of CVEs that require both local/physical access AND user interaction for successful exploitation. “While these factors do not remove the threat of exploitation, it does decrease its likelihood. The number of reported CVEs that require both local or physical access AND user/operator interaction have increased with each report, demonstrating the importance of taking vector and probability of exploitation into account, regardless of the total number of CVEs,” it added. 

Additionally, the percentage of CVEs that require user action, regardless of network availability, has stayed relatively constant. “In the first half of 2022, 29.1% of CVEs required user action. This number has decreased to 24.3% in the first half of 2023,” SynSaber added.

In conclusion, the SynSaber report identified that the number of CVEs reported via CISA ICS advisories and other alerting groups is likely to continue increasing over time or at least remain relatively steady. “Understanding which CVEs are ‘forever-day vulnerabilities’ will reduce the number of vulnerabilities that need to be accounted for in a vulnerability remediation plan.” 

It added that effective prioritization of both CVEs and other vulnerabilities leverages both CISA ICS advisories as well as other officially sanctioned and community-driven resources. “Care should be taken to understand vulnerabilities in the context of the environments in which they appear. Since every OT environment is unique and purpose-built, the likelihood of exploitation and impact that it may have will vary greatly for each organization.”

In February, SynSaber observed 144 percent rise in CVEs reported as ICS advisories from 2020 to 2022. The growing volume of reported vulnerabilities highlights continued efforts to secure the ICS systems critical to the nation’s energy, manufacturing, water, and transportation infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.