SynSaber Report Brings More Context to ICS Security
An analysis of three years of vulnerabilities found in industrial control systems (ICS) published by SynSaber, a provider of an ICS monitoring platform, found that while there may be no patches available, many affected systems are no longer being supported by vendors.
In addition, the report found a little more than a fifth (21%) of the common vulnerabilities and exposures (CVEs) that have been reported over the three-year period would require physical or local access to an ICS environment that is not likely to occur.
In the last three years, the number of reported CVEs for these types of systems has increased 67.3%, with 1,365 being recorded in 2022 alone. However, out of the 3,273 total ICS vulnerabilities reported in the last three years, the report found 998 (32%) qualified as being enough of a threat to address immediately. The report also noted that, in 2022, a full 29% of the vulnerabilities reported were reported by security vendors rather than the manufacturer of the ICSes.
SynSaber CEO Jori VanAntwerp said the analysis suggested the number of vulnerabilities reported suggested the level of ICS security being provided today is more problematic than it actually is. In many cases, cybersecurity researchers are reporting vulnerabilities without providing enough context concerning what is required to exploit that vulnerability, he noted.
Many of the so-called “forever” vulnerabilities will never be patched, so in those instances it’s probable the platforms affected are simply being replaced, VanAntwerp added.
In general, updating an ICS is challenging because organizations need to wait for the manufacturer of a platform to test and deliver a patch for that system. If they attempt to patch that system themselves, there’s a good chance the platform will no longer function or, at the very least, the warranty provided will be voided.
Naturally, there’s a lot more focus on ICS security in an era where nation-states are launching cyberattacks against critical infrastructure that depends on some type of ICS to operate. The SynSaber report found there were 292 critical ICS vulnerabilities reported in 2022, with another 632 rated as high severity.
It’s not clear whether there might be some level of irrational exuberance occurring when to comes to reporting ICS vulnerabilities. Many CVEs are reported by cybersecurity firms that are looking to enhance their cybersecurity bona fides as competition among these companies continues to stiffen. That doesn’t mean cybersecurity teams should ignore those reports, but it is a factor in determining how organizations should respond, noted VanAntwerp.
The concern, of course, is that as the number of CVEs being reported continues to increase, high-severity vulnerabilities will be ignored simply because cybersecurity teams are inundated with alerts. In the meantime, ICS cybersecurity continues to improve as more modern platforms replace older ones that were deployed in an era where cybersecurity was not as big a concern. The challenge, as always, is finding the budget needed to replace these older platforms that still number in the millions.
