Industrial Control Systems Vulnerabilities Soar Over One-Third Unpatched in 2023

A recent report analyzed the Common Vulnerabilities and Exposures (CVEs) reported via the U.S. [5] [6] Cybersecurity and Infrastructure Security Agency (CISA) in the first half of 2023 [1]. The report provides insight into the sector and highlights the increasing vulnerabilities in industrial control systems (ICSs) across various sectors.

Description

The report identified a total of 670 flaws in ICSs, impacting sectors such as manufacturing [4], energy [1] [2] [4] [6], water and wastewater systems [4], commercial facilities [4], transportation [4], chemical [4], healthcare [4], food and agriculture [4], and government facilities [4]. Out of these vulnerabilities, 88 were rated as Critical, 349 as High, 215 as Medium, and 18 as Low in Severity [1] [2] [3].

One significant finding was the increase in security vulnerabilities impacting ICSs that had no patch or remediation. This number rose from 13% in the previous year to approximately 34% in the first half of 2023. The report also highlighted the concern of Forever-Day vulnerabilities, with six CISA Advisories identifying ICS vendor products with ‘Critical’ severity vulnerabilities that have no update [3], patch [1] [2] [3] [4] [6], hardware/software/firmware updates [3], or known workarounds [1] [2] [3] [4].

Nozomi Networks [1] [2] [3] [4], a cybersecurity company [4], detected various indications of network scanning in water treatment facilities, cleartext password alerts in the building materials industry [1] [2] [3] [4], program transfer activity in industrial machinery [1] [2] [3] [4], and attempts to inject OT protocol packets in oil and gas networks. Additionally, the company reported an average of 813 unique attacks daily against its honeypots [1] [2], with the top attacker IP addresses originating from China [1] [2] [4], the U.S. [1] [2] [3] [4], South Korea [1] [2] [4], Taiwan [1] [2] [4], and India [1] [2] [4] [6].

The critical manufacturing and energy sectors were the most affected by these vulnerabilities. In the critical manufacturing sector [1] [2], the vendors most impacted were Mitsubishi Electric, Siemens [1] [2] [4], and Rockwell Automation [1] [2] [4], while in the energy sector, the most impacted vendors were Hitachi Energy, Advantech [1] [2] [4], Delta Electronics [1] [2] [4], and Rockwell Automation [1] [2] [4]. Siemens emerged as the leading entity producing the most CVEs [1].

Conclusion

The report emphasizes the increasing regulation of critical infrastructure and the growing emphasis on vulnerability management [5]. It highlights the need to address security vulnerabilities in ICSs and the importance of maturing cybersecurity and operations to protect against the targeting and exploitation of vulnerabilities within U.S. [5] critical infrastructure [5] [6]. These findings have significant implications for the sectors impacted and underscore the urgency of mitigating these vulnerabilities to ensure the security and resilience of critical systems.

References

[1] https://thehackernews.com/2023/08/industrial-control-systems.html
[2] https://www.planetjon.net/news/cybersecurity/industrial-control-systems-vulnerabilities-soar-over-one-third-unpatched-in-2023/
[3] https://cyber.vumetric.com/security-news/2023/08/02/industrial-control-systems-vulnerabilities-soar-over-one-third-unpatched-in-2023/
[4] https://terrificassit.com/industrial-control-systems-vulnerabilities-soar-over-one-third-unpatched-in-2023/
[5] https://finance.yahoo.com/news/synsaber-ics-advisory-project-identify-130800385.html
[6] https://www.securityinfowatch.com/critical-infrastructure/press-release/53067962/synsaber-and-ics-advisory-project-identify-vulnerability-trends-within-critical-infrastructure-sector