Industrial CVE Retrospective report 2020 2021 2022

Industrial CVE Retrospective:
2020, 2021, 2022

SynSaber researchers conducted an industrial CVE retrospective spanning 3 years of CISA Advisories (2020, 2021, and 2022) to find insights and trends. Our 16-page research report covers:

•  Growth trends in ICS Advisories and total CVEs reported
•  Insights from ICS CVE Severity ranking and CVSS criteria
•  Percentage of CVEs that require local/physical access to exploit
•  Increase in CVE reporting from OEMs and security vendors
•  Percentage of CVEs each year that have no patch or remediation available

👓 Reviewing ICS Vulnerabilities
Through a 3-Year Lens

Our main goals for this report First and foremost, we wanted to review the numbers and trends from within the mountains of data in three years of ICS Advisories, so you don’t have to. Then using that data, extract valuable insights that will empower critical infrastructure operators to make solid decisions regarding CVE mitigation and prioritization. Fight for the operator!

Server boxes floating atop each other

🔺 Reported CVEs Continue to Rise
Does that Mean ICS is Less Secure?

Not necessarily. But it does mean OEMs, researchers, and vendors are increasing their public disclosure of vulnerabilities to the community. The volume of reported CVEs may cause critical infrastructure asset owners to feel overwhelmed, or not know what to prioritize. But the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, especially when reviewing trends across a 3-year period.

Here’s a sneak peek of some CVE stats you’ll find in the 3-Year Retrospective:

• CISA ICS Advisories have increased each year (211 in 2020, 353 in 2021, 361 in 2022)

• CVEs within those ICS Advisories have also increased each year (550 in 2020, 1191 in 2021, 1342 in 2022)

• The number of ICS CVEs with a CVSS rating of "critical" have increased each year (141 in 2020, 186 in 2021, 296 in 2022)

• Despite the annual increase in reported CVEs, the percentage without a patch or remediation averages over 21%