The US Cybersecurity and Infrastructure Security Agency (CISA) disclosed 670 vulnerabilities affecting industrial control systems (ICS) and other operational technology (OT) products in the first half of 2023, according to industrial asset and network monitoring company SynSaber.
SynSaber’s analysis, conducted in collaboration with the ICS Advisory Project, shows that CISA published 185 ICS advisories in the first half of 2023, down from 205 in the first half of 2022. The number of vulnerabilities covered in these advisories dropped by 1.6% in H1 2023 compared to H1 2022.
More than 40% of the flaws impact software and 26% affect firmware. OEMs continued to report most of these vulnerabilities — more than 50% — followed by security vendors (28%) and independent researchers (9%).
Critical manufacturing and energy are the critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of 2023.
Of the CVEs disclosed in H1 2023, 88 have been rated ‘critical’ and 349 have been rated ‘high severity’. More than 100 flaws require both local/physical access to the targeted system and user interaction, and 163 require some type of user interaction, regardless of network availability.
Thirty-four percent of the reported vulnerabilities don’t have a patch or remediation available from the vendor, up from 13% in the first half of 2022, but roughly the same as in the second half of 2022.
The increase in H1 2023 is partially due to a Siemens advisory that covers over 100 CVEs affecting the Linux kernel, for which patches have yet to be released by the industrial giant. In addition, many of the vulnerabilities that will not receive a patch impact unsupported products.
The SynSaber report also provides information that can help organizations prioritize vulnerabilities based on various factors.
“Every OT environment is unique and purpose-built for a specific mission,” said Jori VanAntwerp, co-founder and CEO of SynSaber. “As a result, the likelihood of exploitation and impact will vary greatly for each organization. One thing is certain: the number of CVEs reported is likely to continue increasing over time or at least remain steady. It is our hope that this research helps asset owners prioritize when and how to mitigate vulnerabilities in accordance with their own environment.”