"Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022"

Security researchers at SynSaber found that 681 industrial control system (ICS) product vulnerabilities were disclosed in the first half of 2022 by the US Cybersecurity and Infrastructure Security Agency (CISA).  Slightly more than the first half of 2021.  The researchers noted that CISA does not publish advisories for all publicly disclosed ICS flaws, which means that the actual number of issues disclosed between January and June could be higher.  The researchers stated that approximately 13% of the 681 CVEs don’t have a patch and may never get fixed, these are called “forever day vulnerabilities.”  The researchers noted that in some cases, even if the vulnerability does have a patch, applying it may not be a straightforward task due to what researchers describe as “complicated interoperability and warranty constraints.” Organizations may need to wait for the affected OEM vendor to greenlight patching, and they need to determine operational risks before any steps are taken.  The researchers found that more than 22% of the vulnerabilities made public by CISA in H1 2022 have been assigned a “critical” severity rating, and 42% have been rated “high severity” based on their CVSS score.  Regarding the reported vulnerabilities, exploitation of 46 vulnerabilities requires both access and user interaction, and 198 require user interaction.  Just over half of the 681 ICS vulnerabilities require a software patch, while 34% require a firmware update, and 12% need a protocol update.  The researchers stated that roughly 40% of vulnerabilities should be addressed immediately, and 8% cannot be easily addressed and likely require compensating controls to prevent exploitation.

SecurityWeek reports: "Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022"