The number of published industrial control system (ICS) vulnerabilities has grown by almost 70% in the past three years, with over a fifth still not patched by manufacturers, according to SynSaber.
The security vendor analyzed advisories published by the US Cybersecurity and Infrastructure Security Agency (CISA) between January 1 2020 and December 31 2022 in order to understand how badly industrial plant owners are exposed.
It noted a 67% rise in the number of ICS advisories reported by CISA between 2020 and 2021 and a further 2% increase the following year.
The increase in CVEs is not a bad thing per se as it could indicate product security teams are increasing their internal reporting and public disclosure of vulnerabilities to the community, SynSaber’s report argued.
However, the lack of vendor patches may be compounding cyber risk for industrial asset owners in critical infrastructure sectors like transportation and utilities. Even when they’re available, security updates in these environments aren’t always easy to apply due to requirements around system uptime and concerns over legacy software compatibility.
“It’s key to remember that one does not simply patch ICS. In addition to the operational barriers to entry, there are a number of practical challenges to updating industrial systems. ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols,” said Ron Fabela, SynSaber CTO.