Analysis
Attacks and Vulnerabilities
CISA
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Vendors
Vulnerabilities

SynSaber notes 144% rise in CVEs reported as ICS advisories from 2020 to 2022 

February 13, 2023
SynSaber notes 144% rise in CVEs reported as ICS advisories from 2020 to 2022

ICS/OT cybersecurity and asset monitoring vendor SynSaber found that the number of CVEs (common vulnerabilities and exposures) reported via ICS advisories has increased yearly. The growing volume of reported vulnerabilities highlights continued efforts to secure the ICS systems critical to the nation’s energy, manufacturing, water, and transportation infrastructure. 

The report, titled ‘Industrial CVE Retrospective: 2020, 2021, 2022,’ also pointed out that the “growing focus and regulation come with additional administration and reporting requirements for an already overstretched ICS workforce. Owners and operators in critical infrastructure are being asked to analyze, mitigate, and report on new and existing vulnerabilities.” 

SynSaber reported that the CISA advisories revealed 1342 ICS (industrial control system) CVEs for 2022, which was a stark contrast to the mere 23 medical ICS CVEs. In 2021, there were 1191 ICS CVEs and 87 ICS medical CVEs, while in 2020, there were 550 ICS CVEs and 79 medical ICS CVEs, registering a 144 percent jump between 2020- 2022. The report said that CISA advisory numbers continue to increase with 2020-2021 registering a 67.3 percent increase in CISA ICS CVEs, while 2021-2022 saw a 2 percent increase. For the three years, 21.2 percent of the CVEs reported  ICS advisories currently have no patch or remediation available.

Jori VanAntwerp, CEO and co-founder at SynSaber said that the main goal for the report is “to  review the numbers and trends from the mountains of data within the ICS advisories, and extract valuable insights that will empower critical infrastructure operators to make solid decisions regarding CVE mitigation and reporting.”

“It’s key to remember that one does not simply patch ICS. In addition to operational barriers to entry, there are a number of practical challenges to updating industrial systems. ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols,” Ron Fabela, co-founder and CTO at SynSaber, said in a media statement. “Each has a level of risk that should be considered when prioritizing activities. For example, upgrading device firmware may come with a significant risk of ‘bricking’ the system, which could be hard to recover.”

The report identified that the CISA ICS advisories continued to increase while the CISA ICS medical advisory numbers showed a downward trend. In 2022, 361 ICS advisories were issued compared to 353 in 2021 and 211 in 2020. When it came to the number of medical advisories issued, 2022 reported 12 notices, compared to 17 in 2021 and 23 in 2020. 

The report also found that a significant number of reported CVEs have exploit paths, which are not practical in ICS. “CVEs that require user interaction or local/physical access to the system are exceedingly difficult to practically exploit. Due to the nature of industrial control system operations and architecture, network accessibility and potential user interaction both have a lower probability of occurrence vs. Enterprise IT,” it added. 

Common exploitation vectors like direct internet access, email, and web browsers are not typically present in industrial control environments, according to SynSaber. “Given the nature of industrial built-in security, or the lack thereof, access to the industrial network equals control. Vulnerabilities are not often needed to be exploited in order to attack a process,” they added.

The data also identified that requiring the attacker to have physical or local access to the target to exploit has a similar ratio of CVEs released. “Requiring a user to interact in order to exploit is present in an average of one-quarter of all CVEs released since 2020. 22% in 2020, 35% in 2021, 29% in 2022,” the report added. 

SynSaber also found that requiring the attacker to have physical or local access to the target to exploit has a similar ratio of CVEs released. “Anyone can report a vulnerability to an ICS vendor or to CISA. Whether you’re an independent individual or working at one of the many ICS security companies, reporting vulnerabilities is a way to make a name for yourself and provide a service for the community.”

From 2020 to 2021, there was a noticeable increase in reported vulnerabilities, the report said. Factors like the pandemic, automated tools like SBOM, or merely an increase in interest could all be contributors, it added.

SynSaber reported that the team at Siemens product security continues to increase its reporting cadence with significant year-over-year growth of nearly three times. “While this does inflate the number of known CVEs that affect Siemens product lines compared to others, this should not be viewed as Siemens products being less secure. On the contrary, a mature and repeatable OEM self-reporting process is something all other OEMs should strive to achieve,” the report added. 

The Chandler, Arizona headquartered company provided certain considerations for ICS CVEs and patching. For asset owners, there are three major considerations when deciding how and when to patch, and none are related to CVSS scores or security. These include warranties, OEM (vendor) approval, and maintenance windows.  

“Plant architectures and configurations that have passed FAT/SAT are handed over to an operator and tied to a warranty, which can prohibit changes to the industrial control system, including patching or software versions,” the report said. “If a CVE is released and a patch is available, most operating environments must wait until their OEM tests, releases, and approves the patch. This could cause a significant lag time between “patch Tuesday” and actual implementation,” it added.

SynSaber further said that once an OEM approves a patch, most industrial environments must wait until a pre-scheduled maintenance window where plant operations are shut down, thereby providing an opportunity for system and security patches to occur.

The report also identified ‘forever-day vulnerabilities,’ which are those reported vulnerabilities, that do not (and will never) have a patch available. “This is more common than one might think, but many CVEs reported are for systems that are old and no longer supported. So while a new vulnerability is reported to CISA, the OEM doesn’t have to release a patch or update to fix the vulnerability, leaving asset owners with limited options. Updating the entire process to a brand-new product line is not practical, so other defensive factors or ‘mitigations’ must be implemented,” it added. 

SynSaber reported that nearly half of all reported CVEs require firmware or architecture updates. “One does not simply patch ICS. In addition to the operational barriers to entry, there are a number of practical implementation challenges to updating industrial systems.” 

It added that ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols. “Each has a level of risk that may be considered when prioritizing activities. For example, upgrading device firmware may come with a significant risk of ‘bricking’ the system, which could be hard to recover,” it added. 

In conclusion, SynSaber said that the volume of CVEs reported via CISA ICS advisories and other entities is likely to remain the same. “It’s important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized. Merely looking at the sheer volume of reported CVEs may cause asset owners to feel overwhelmed, but the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable vs. which will remain ‘forever-day vulnerabilities,’ at least for the time being,” it added.

Last month, SynSaber revealed that 35 percent of reported CVEs in the second half of 2022 are unpatchable or remediation currently available from the vendor. These CVEs registered an increase of 13 percent from the first six months of the year, and 33 percent required a firmware update.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base