Cybersecurity Agency Reports Increase in Industrial Control System Vulnerabilities
The Cybersecurity Agency and Infrastructure Protection (CISA) has revealed that in the first half of 2023, there were 670 vulnerabilities affecting industrial control systems (ICS) and other operating technologies (OT) products. This information was reported by Synsaber, a company that monitors industrial assets and networks.
A recent analysis by Synsaber, carried out in collaboration with the ICS Advisory Project, shows that CISA published 185 ICS recommendations in the first half of 2023, compared to 205 in the first half of 2022. The number of vulnerabilities decreased by 1.6% in the first half of 2023, compared to the same period in 2022.
- Among the vulnerabilities found, 88 were recognized as “critical”, and 349 were classified as having a “high level of danger”.
- More than 40% of the vulnerabilities affect the software, while 26% affect the firmware.
- Over 100 vulnerabilities require both local/physical access to the target system and interaction with the user, and 163 require a certain type of interaction with the user, regardless of network availability.
- 34% of the disclosed vulnerabilities have not been eliminated by the manufacturer, compared to 13% in 2022.
The disclosed vulnerabilities have the potential to significantly impact critical sectors of infrastructure, particularly production and energy industries.
The increase in the number of unaddressed vulnerabilities is partly attributed to the recommendation by Siemens, which covers over 100 vulnerabilities affecting the Linux kernel, for which the company has not yet released a fix. Additionally, many vulnerabilities that will not be patched affect unsupported products.
The Synsaber report also provides valuable information to help organizations prioritize the correction of vulnerabilities based on various factors.