"Fifth of ICS Bugs Have No Patch Available"

According to security researchers at SynSaber, the number of published industrial control system (ICS) vulnerabilities has grown by almost 70% in the past three years, with over a fifth still not patched by manufacturers.  The researchers analyzed advisories published by the US Cybersecurity and Infrastructure Security Agency (CISA) between January 1, 2020, and December 31, 2022, in order to understand how badly industrial plant owners are exposed.  The researchers found that there was a 67% rise in the number of ICS advisories reported by CISA between 2020 and 2021 and a further 2% increase the following year.  The researchers noted that the increase in CVEs is not a bad thing per se, as it could indicate product security teams are increasing their internal reporting and public disclosure of vulnerabilities to the community.  However, the lack of vendor patches may be compounding cyber risk for industrial asset owners in critical infrastructure sectors like transportation and utilities.  The researchers stated that even when they’re available, security updates in these environments aren’t always easy to apply due to requirements around system uptime and concerns over legacy software compatibility.  The researchers noted that while 21% of CVEs reported over the past three years currently have no patch available, it should also be noted that not all vulnerabilities are easily exploitable.  SynSaber explained that an average of around a quarter of CVEs published over the period require user interaction to exploit.

Infosecurity reports: "Fifth of ICS Bugs Have No Patch Available"