ICS Vulnerabilities & CVEs: H1 2022

SynSaber researchers dug into the 680+ CVE Advisories released by CISA in the first half of 2022.  Our inaugural 12-page research report covers:

•  Who is reporting the majority of CVEs?
•  How many CVEs have a low probability of exploitation?
•  What remediations (if any) are available?
•  Overall, what percentage of reported CVEs actually matter to those in critical infrastructure?

👓 Reviewing ICS Vulnerabilities
Through a Different Lens

With increased discussion around ICS vulnerabilities, we wondered: What could be discovered if we looked at reported Common Vulnerabilities and Exposures (CVEs) from a different perspective? What questions could be answered from the 680+ CVEs reported via the Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the first half of 2022? With our curiosity peaked, SynSaber researchers went to work.

🌳 CVE Can’t Be Patched in the Forest
Does it Make an Exploitable Sound?

The sheer volume of reported ICS vulnerabilities & CVEs may cause critical infrastructure asset owners to feel overwhelmed, or not know where best to begin. But the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, vs. which will remain “forever-day” vulnerabilities, at least for the time being.

Here’s a sneak peek of some CVE stats you’ll find in the Report:

• 13% have no patch or remediation currently available

• 56% were reported by OEMs; 42% by vendors & independents; 2% by asset owners or gov’t entities

• 23% require local or physical access to the system in order to exploit

• 41% can and should be prioritized & addressed first (with organization & vendor planning)