670 ICS Vulnerabilities Disclosed by CISA in First Half of 2023: Analysis
CISA disclosed 670 ICS vulnerabilities in the first half of 2023, but roughly one-third have no patches or mitigations from the vendor.
By
The US Cybersecurity and Infrastructure Security Agency (CISA) disclosed 670 vulnerabilities affecting industrial control systems (ICS) and other operational technology (OT) products in the first half of 2023, according to industrial asset and network monitoring company SynSaber.
SynSaber’s analysis, conducted in collaboration with the ICS Advisory Project, shows that CISA published 185 ICS advisories in the first half of 2023, down from 205 in the first half of 2022. The number of vulnerabilities covered in these advisories dropped by 1.6% in H1 2023 compared to H1 2022.
More than 40% of the flaws impact software and 26% affect firmware. OEMs continued to report most of these vulnerabilities — more than 50% — followed by security vendors (28%) and independent researchers (9%).
Critical manufacturing and energy are the critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of 2023.
Of the CVEs disclosed in H1 2023, 88 have been rated ‘critical’ and 349 have been rated ‘high severity’. More than 100 flaws require both local/physical access to the targeted system and user interaction, and 163 require some type of user interaction, regardless of network availability.
Thirty-four percent of the reported vulnerabilities don’t have a patch or remediation available from the vendor, up from 13% in the first half of 2022, but roughly the same as in the second half of 2022.
The increase in H1 2023 is partially due to a Siemens advisory that covers over 100 CVEs affecting the Linux kernel, for which patches have yet to be released by the industrial giant. In addition, many of the vulnerabilities that will not receive a patch impact unsupported products.
The SynSaber report also provides information that can help organizations prioritize vulnerabilities based on various factors.
“Every OT environment is unique and purpose-built for a specific mission,” said Jori VanAntwerp, co-founder and CEO of SynSaber. “As a result, the likelihood of exploitation and impact will vary greatly for each organization. One thing is certain: the number of CVEs reported is likely to continue increasing over time or at least remain steady. It is our hope that this research helps asset owners prioritize when and how to mitigate vulnerabilities in accordance with their own environment.”
Related: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms
Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022: Report
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.(Marie Hattar)
Just as a professional football team needs coordination, strategy and adaptability to secure a win on the field, a well-rounded cybersecurity strategy must address specific challenges and threats.(Matt Wilson)
As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.(Marc Solomon)
Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.(Matt Honea)
The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories.(Joshua Goldfarb)
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...
Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...
Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).
Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.
Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.
Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...
More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.
The US Cybersecurity and Infrastructure Security Agency (CISA) disclosed 670 vulnerabilities affecting industrial control systems (ICS) and other operational technology (OT) products in the first half of 2023, according to industrial asset and network monitoring company SynSaber.Learn More at SecurityWeek’s ICS Cyber Security ConferenceRelatedRelated