"Over a Third of Recent ICS Bugs Still Have No Vendor Patch"

Security researchers at SynSaber stated that industrial control system (ICS) operators are being let down by their vendors after new research revealed that 35% of CVEs published in the second half of 2022 still have no available patch.  The researchers analyzed the 926 CVEs reported via Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the second half of 2022.  The researchers found that not only have ICS asset owners had to contend with an increase in published CVEs, up 36% from the 681 reported in the first half of the year, but in many cases, their systems are exposed due to a lack of vendor updates.  The researchers argued that delays are often due to the fact that "Original Equipment Manufacturer (OEM) vendors often have strict patch testing, approval, and installation processes." However, even when patches are available, ICS asset owners can struggle to update systems in a timely manner.  On a more positive note, the researchers claimed that just a fifth (22%) of the CVEs published in the second half of 2022 should be prioritized for patching, down from 41% in the previous six months.  That's down in part to the probability of exploitation: the researchers claimed around 11% of CVEs published in H2 2022 require local and user interaction for successful exploitation, while 25% require user interaction regardless of network availability.  The researchers noted that patching is critically important, given the uptick in threats targeting critical infrastructure sectors which run ICS equipment, driven in part by the war in Ukraine.

Infosecurity reports: "Over a Third of Recent ICS Bugs Still Have No Vendor Patch"