Extent of reported CVEs overwhelms critical infrastructure asset owners
The sheer volume of reported ICS vulnerabilities and CVEs may cause critical infrastructure asset owners to feel overwhelmed, or need help knowing where to begin, according to SynSaber.
The report analyzes the 920+ CVEs released by CISA in the second half of 2022 to determine the following:
- Who is reporting the vulnerabilities?
- What remediations (if any) are available?
- What are the severity levels and potential impacts?
- How does the data compare to the CVEs reported in the first half of the year?
“Year after year, there is a deluge of vulnerability disclosures in industrial control systems, often creating anxiety as the security community attempts to patch or remediate each point of exposure — an impossible feat,” said Ron Fabela, CTO of SynSaber.
“Our goal with this report is to analyze the 920+ CVEs, and gather insights for the ICS industry regarding which CVEs should be taken most seriously and which can be accepted as a part of the organization’s risk management strategy,” added Fabela.
Key findings
- For the CVEs reported in the second half of 2022, 35% have no patch or remediation currently available from the vendor (up from 13% in the first half of the year)
- While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 43% have been submitted by security vendors and independent researchers (these figures were consistent with the first half of 2022)
- 28% of the CVEs require local or physical access to the system in order to exploit (up from 23% during the first half of 2022)
- Of the CVEs reported in the second half of 2022, 22% can and should be prioritized and addressed first (with organization and vendor planning)
The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease. It’s important for asset owners and those defending critical infrastructure to understand when remediations are available and how they should be implemented and prioritized.