Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023
2.8.23 ICS The Hacker News
About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year.
According to data compiled by SynSaber, a total of 670 ICS product flaws were reported via the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the first half of 2023, down from 681 reported during the first half of 2022.
Of the 670 CVEs, 88 are rated Critical, 349 are rated High, 215 are rated Medium, and 18 are rated Low in Severity. 227 of the flaws have no fixes in comparison to 88 in H1 2022.
"Critical manufacturing (37.3% of total reported CVEs) and Energy (24.3% of the total reported) sectors are the most likely to be affected," the OT cybersecurity and asset monitoring company said in a report shared with The Hacker News.
Other prominent industry verticals include water and wastewater systems, commercial facilities, communications, transportation, chemical, healthcare, food and agriculture, and government facilities.
Some of the other notable findings are as follows -
Mitsubishi Electric (20.5%), Siemens (18.2%), and Rockwell Automation (15.9%) were the most impacted vendors in the critical manufacturing sector
Hitachi Energy (39.5%), Advantech (10.5%), Delta Electronics, and Rockwell Automation (both 7.9%) were the most impacted vendors in the energy sector
Siemens emerged as the leading entity producing the most CVEs through the first half of 2023, accounting for 41 ICS advisories
Use after free, out-of-bounds read, improper input validation, out-of-bounds write, and race condition were the top five software weaknesses
What's more, a majority of CVE reports (84.6%) originated from original equipment manufacturers (OEMs) and security vendors in the United States, followed by China, Israel, and Japan. Independent and academic research accounted for 9.4% and 3.9%, respectively.
"Forever-Day vulnerabilities remain an issue – six CISA Advisories identified for ICS vendor products that reached end of life with 'Critical' severity vulnerabilities have no update, patch, hardware/ software/ firmware updates, or known workarounds," the company pointed out.
SynSaber, however, noted that relying on CISA ICS advisories alone may not be sufficient, and that organizations need to monitor multiple sources of information to get a better idea of the flaws that may be relevant to their environments.
"Care should be taken to understand vulnerabilities in the context of the environments in which they appear," it said. "Since every OT environment is unique and purpose-built, the likelihood of exploitation and impact that it may have will vary greatly for each organization."
The findings come as Nozomi Networks revealed a "high volume of network scanning indications in water treatment facilities, cleartext password alerts across the building materials industry, program transfer activity in industrial machinery, [and] OT protocol packet injection attempts in oil and gas networks."
The IoT cybersecurity company said it detected an average of 813 unique attacks daily against its honeypots, with top attacker IP addresses emanating from China, the U.S., South Korea, Taiwan, and India.