Reviewing 2022 ICS Vulnerabilities: How to Manage Growing Risks
Learn about the current ICS vulnerability landscape, where to focus your energy, and why ICS vulnerability management matters.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
Verve Industrial’s mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve brings over 25 years of ICS/OT controls experience to help clients achieve rapid and lasting improvement in their Operational Technology (OT) security.
Our foundation in industrial controls engineering is core to our mission to help operators protect these critical assets that keep modern civilization operating effectively. We act as a true partner to our clients in their security and reliability journey. We walk alongside our clients to help them increase the maturity of their systems and processes over time.
One of the key challenges our clients face is the flood of new ICS vulnerabilities released each year for ICS. They are often overwhelmed by the scale of these emerging risks. Our goal with this analysis is to bring some clarity to the task at hand, some visibility into the types of threats, and some recommendations about what actions an organization can take to address these risks.
2022 was another challenging year for people – after years of the [still ongoing] COVID-19 pandemic, tensions in the east ended up breaking into a full-fledged war, multiple industry verticals started to suffer the weight of an incoming recession ( 50% chance of a recession in 2023 according to the Guardian), and the number of hackers did nothing but increase.
During that year, and with the fact that the political landscape was all over the place, multiple threat actors used the opportunity to launch attacks on critical infrastructure and IACS. 2022 saw various groups – such as the Conti group – increase their number of attacks on industrial & automation control systems (IACS) and industrial/operational sectors such as energy, healthcare, etc.
On the other hand, positive events did happen in 2022 when it comes to cybersecurity – Multiple bills were passed by governments across the globe (e.g. USA, Canada) in order to improve the overall security of critical sectors.
To provide more information on the threat landscape for ICS, Verve’s research team updated the analytical comparison completed last year regarding the trend of ICS advisories and CVEs. To get a better view of growing ICS risks and vulnerabilities, Verve analyzed publicly available data points and reviewed our own vulnerability analysis data from the past couple of years. We:
Importantly, this analysis focuses on the specific ICS-advisories issued by CISA. These relate to hardware, firmware, and application software provided by ICS vendors to their critical infrastructure clients. Explicitly, this excludes the thousands of critical ICS vulnerabilities on the Windows OS and IT-type networking devices found in these same ICS environments. Those vulnerabilities are issued through traditional Vulnerability Management channels but have significant impact on ICS/OT environments.
Some ICS analysts make the argument that vulnerability and patch management is less important in OT than in IT because so few of the ICS advisories have a known exploit available. This is a misleading comment as the Windows, networking and other vulnerabilities on the HMIs, workstations, servers, switches and firewalls all have hundreds or thousands of vulnerabilities where a known exploit exists. And in most ICS environments, traditional IT patch and vulnerability management solutions are not feasible. Accurate vulnerability identification and efficient patch management is critically important for ICS.
ICS vulnerabilities provided in those advisories do not provide a comprehensive threat landscape as some vulnerabilities that get discovered never get reported to CISA, but they allow companies to feed their own risk analysis, risk management or a high-level risk assessment.
In 2022, ICS-CERT issued 370 cybersecurity advisories available for public consumption on CISA’s website (Cybersecurity & Infrastructure Security Agency). Verve analyzed these advisories without any discrimination – no advisory was rejected based on geography, company size, domain of operations, vendor, etc. The only advisories not included in the analysis were those related to medical devices (ICSMA) and those republished or reanalyzed by CISA. So only the advisories starting with ICSA-22- ***-** were kept as part of the scope of this analysis. This report summarizes the conclusions, the observed trends, and a perspective on what 2022 might hold.
ICS-CERT advisories were basically flat year over year (an increase of ~4.3% over 2021), with the number of CVEs growing by ~2.2%. This is the smallest growth observed by the Verve research team since we started doing this yearly analysis in 2019-20. Previous years all had change above 20 to 40% for both the number of advisories and the number of CVEs.
Many of the risks created by those vulnerabilities are considered HIGH or CRITICAL by NIST’s National Vulnerability Database (NVD), with a significant increase of those scored with a CVSS of 9 and 10/10 (Critical) and those scored as High (~8).
280 advisories out of the 370 had a score of 8 or higher in 2022. Of those advisories, 203 (73%) are exploitable remotely, 262 (94%) have a low attack complexity, and 13 have public exploits available.
With the rise of IIoT, IT systems in OT environments and remote network connectivity, the risk of lateral movement and privilege escalation increase as well. Therefore, it is important for organizations to be mindful of what they have in their environment and the ICS vulnerabilities that apply to them. Organizations should especially look at the vulnerabilities that have known exploits, as it means a threat actor has exploited them in the past.
The following trends are also observed:
In 2022, like in 2021, Siemens had the largest number of advisories. In 2022, 37% of alerts were related to Siemens against 36% in 2021. The high number of advisories doesn’t mean that Siemens is less secure than their competitors, but instead that a lot of research and threat hunting has taken place for Siemens products and solutions. This is shown by the fact that 85 advisories out of the 137 (62%) published by CISA on Siemens in 2022 were self-reported – either reported by Siemens itself or by a researcher working for the organization. This shows that Siemens most likely has a mature threat-hunting team and vulnerability management program. If, for most or all these advisories, Siemens was to provide a fix, a patch or a mitigation solution (like they have in most of the advisories published in 2022), they can ensure that their products are part of the most secured out there.
To collect data for comparison to the observations published for 2021, the Verve research team applied a similar approach:
We analyzed each ICS-CERT advisory for severity, exploit vectors, link to product names and software versions, what the relevant risk entailed, etc. They were recorded, visited, and their information archived.
We checked to see if CVEs were missing/reserved, validated scores to determine if they were marked correctly and did the CPE strings reflect initial expectations (e.g., did the vendor’s name match, or was the product’s name correct?).
The information was cross-referenced with data from previous years to identify tendencies and changes in the ICS market.
Verve analyzed the ICS-CERT alerts for the past several years. This provides a comprehensive view of all the publicly released vulnerability information. The data shows a stabilization in the number of advisories published each year. While previous years used to be drastically more important than the one before, the year 2022 has only a minimal elevation.
At a high level, Verve found a minimal increase in the total number of advisories in 2022 vs. 2021 and the number of CVEs. With an increase of 4.3% in the number of advisories published in 2022 compared to 2021, the difference is far from the 30% increase that was observed between 2021 and 2020.
OT/ICS being what it is, it is impossible to think that all these vulnerabilities will be patched by critical infrastructure and operational companies in a timely matter, if at all. ICS organizations need to ensure they put controls or compensating controls in place to secure their environment, but many don’t know where to start. Looking at the advisories that concern one’s network/organization could be a good start to understanding where some of the vulnerabilities and risks may be.
Of the ~390 original ICS-CERT advisories, medical devices (ICSMA) were excluded. Of the remaining 370 advisories, the average CVSS score was 7.93 [High]. The average number of vulnerabilities (CVEs) per advisory was also significantly higher than one.
In addition to the above summary statistics:
While these numbers are large and growing, this analysis excludes two types of additional vulnerabilities: 1) those that vendors do not release publicly but share privately with their clients only, and 2) those that are still hidden in these “insecure by design” systems.
These are some of the reasons why it is so challenging for organizations to manage ICS vulnerabilities and risks in their environment. Many vendors develop devices without any security in mind and never release information on their potential vulnerabilities or ways to fix/mitigate them. It often ends up being the responsibility of asset owners to know the environment, the assets on the network and the industrial process to find ways to secure the network – with many organizations lacking updated documentation. Usually, many ICS vulnerabilities and potential threats end up falling through the cracks.
The average CVSS scores have remained consistent over the years even as the number of CVEs increased drastically:
The vendors with the most disclosures have stayed relatively consistent over the years, but we can observe a few changes when we compare the top OEMs from 2022 with the ones from 2021.
In 2022, the top three vendors were:
This doesn’t come as a surprise as Siemens was also the top disclosing OEM in both 2020 and 2021, where they reported 73 and 129 advisories to CISA.
By looking at the entire data sample, it is possible to observe the following:
In addition, from a data perspective, this chart has multiple caveats that a reader needs to be aware of:
Many ICS vulnerabilities impact organizations whose business is in different industry verticals. This can be observed in the chart below where those observations can be made:
OT is clearly in the crosshairs of cyber attackers, and manufacturing is at the center of all the OT/ICS cyber warfare.
When we looked at the previous year (2021), we saw that 67% of the advisories could be exploited remotely, and 75% had a low attack complexity. For 2022, those numbers were significantly higher – If an attacker gains access, most ICS vulnerabilities have a low attack complexity (~90%) or are exploitable remotely (73%).
The details for 2022 are presented below:
198 unique vulnerabilities/issue values were found. After doing sorting and counting, the top 5 vulnerabilities, as well as their frequency within CVSS are as follows:
In previous years, there may have been lesser occurrence counts partially due to the overall numbers of CVEs being significantly lower (488 more CVEs in 2021 compared to 2020), but between 2022 and 2021, the number of overall CVEs has only raised by 27.
However, there are similarities with 2021 when we look at the most common vulnerabilities that were reported by CISA in the ICS advisories. Out-of-bounds Read, Out-of-bounds Write & Improper Input Validation were all part of the top 5 unique vulnerabilities for both 2022 and 2021, for example.
Of the 198 unique ICS vulnerabilities that were found, 160 only affected between 1 and 5 advisories. This means that only 19% of the vulnerabilities identified impact more than five advisories. By adding all the vulnerabilities that impact many vendors, we got a total of 785 vulnerabilities for 370 advisories (1 advisory had no specified vulnerabilities). In 2021, the total was 795 (+25 compared to 2022) for 354 advisories, therefore explaining why the average number of CVEs per advisory was higher in 2021 than in 2022.
With this high number of ICS vulnerabilities, more than twice the number of advisories published in 2022, it is expected that a significant proportion of the advisories had more than one vulnerability associated with them. According to the data the Verve research team collected, 43% of the advisories, so around 159 advisories (of those, 2 advisories had “Multiple” listed as “Type of vulnerability”, but those vulnerabilities weren’t specified in the advisory), had more than one vulnerability associated to it. This is 1% less than the previous year but is still a significant number that asset owners and OT cybersecurity specialists should pay attention to. In the end, many of those advisories and vulnerabilities don’t have an all-inclusive fix or an easy solution for mitigation. However, asset owners should focus on specific ones rather than tackling the complete list available. Understanding the organization’s risks and prioritization is critical.
Over the past couple of years, CISA has produced a database titled the KEV “Known Exploited Vulnerability” Catalog. The KEV lists all vulnerabilities where a known exploit exists. This catalog is incredibly helpful for focusing the security team’s time on those vulnerabilities that are most likely to pose an active risk. Most of the ICS advisories do not have a known vulnerability when the advisory is released, although the percentage is growing. In 2022, roughly 5% of the 370 public advisories had a known public exploit. This compares to only 2/340 in 2021.
This doesn’t mean that no exploit could exist for the other 354 advisories released in 2022 – as you can see from the difficulty score, most are a low degree of difficulty to exploit. It is just that know known exploit has been observed “in the wild”. Therefore, asset owners should still stay vigilant and consider the exploitability of the different vulnerabilities that potentially affect them and their environment. Furthermore, as mentioned above, there are a large number of vulnerabilities tied to the IT-type devices found in OT than require us to be vigilant against known exploits.
As we think about prioritizing remediation, focusing on those with Known Exploits is an initial starting point to focus the efforts of the team.
Importantly, as referenced earlier, the greatest amount of vulnerabilities in most OT environments, especially those with Known Exploits, will not be the advisories that emerge from vendors on their firmware or applications, but instead will be all of the OS-based devices and their Windows patches and application patches for non-ICS software. These will outweigh the critical vulnerabilities from ICS-advisories by 10:1 or more in most cases.
Prioritized vulnerability management in OT, must take into account those risks as a primary threat vector.
In 2022, many advisories had to be considered as priorities by organizations regarding remediation. Those advisories either affected them directly or had public exploits available and could be considered as a serious threat to the organization’s environment. If the investment required to mitigate an advisory/vulnerability cost less than the potential cost of an incident related to the materialization of that threat, a cyber-mature organization probably would have paid the money to reduce its risk. But in most cases, OT organizations don’t necessarily have an effective risk, vulnerability, and patch management program. Therefore, they must decide where to spend their limited budget and time to mitigate the most critical vulnerabilities they can find.
To help organizations pinpoint some of those vulnerabilities, we identified three critical advisories that stand out from the crowd and explained why we consider them noticeable:
A lot of other vulnerabilities could be listed above. Many advisories published in 2022 represent a real risk to numerous operational organizations. In the end, organizations must make sure they filter on what matters to them, their environment and critical systems and eliminate as much “noise” as possible in order to focus on what matters.
One important note is that many ICS vulnerabilities are not found easily within the National Vulnerability Database. In many cases, such as the one shown below, the ICS advisory comes out relating to an ICS vendor (in this case Rockwell) but the underlying CVEs are tied to the product manufacturer, in this case CISCO, rather than the OEM’d version of that device. Organizations need to be cognizant of this risk of missing a true picture of the vulnerabilities and ensure that when evaluating risk, these anomalies in the data are captured.
The above summary can be overwhelming for an asset owner or site engineer. One question that arises the most regarding ICS advisories is: Where do I start with all of this?
As mentioned previously in this report, the ICS-advisories and CISA alerts on ICS products are really only the tip of the iceberg when it comes to risks and vulnerabilities in OT. The vast majority of the vulnerabilities found in our assessments of OT environments are on the Windows/Unix/Linux assets and their OS and non-ICS software, rather than the pure ICS vulnerabilities. Furthermore, because so few of the ICS-advisory CVE’s have known exploits, the greatest risk is certainly to these Windows assets. However, the way to assess and remediate risks to those OS versions and applications in OT is not the same as IT. Normally, vulnerability scanners cannot operate safely in these environments, and remediation can be time consuming or costly trying to coordinate with local sites and vendors. As we consider how to prioritize vulnerabilities, these need to be top of the list.
The answer to OT vulnerability management requires considering a range of questions – What is your organization’s risk appetite, what is the budget, what is the impact of an incident, which assets are critical in your environment, etc. There have been more and more advisories published by CISA each year, and the number of ICS vulnerabilities being discovered won’t decrease either. With more advisories and vulnerability information being made available to the public, organizations have more data than ever to use in their risk management program — and hackers also have more information to work with. The game for organizations then becomes:
To assess their risk quickly and efficiently:
CISA offers numerous recommendations to remediate the ICS vulnerabilities they report in their advisories. Those include:
Of course, no ICS asset owner can patch all those vulnerabilities. Most ICS systems have a small threshold for risks related to patching (downtime, critical systems that cannot be rebooted, old systems that cannot be patched for performance reasons, etc.). But by using the information compiled by CISA, asset owners can monitor the potential risks for their organizations based on the vendors they have in their environment, apply cybersecurity controls if possible or compensating controls, and even integrate that information into their vulnerability management and threat hunting.
Those methods are particular to the advisories they are part of. This doesn’t mean that an organization can simply follow them by the book and patch/update their assets/systems/software as it pleases them.
As outcomes from our 2021 ICS Advisory Report, Verve proposed 5 key remediation actions to get started:
Another point to consider is the work with OEMs. A lot of critical infrastructure organizations rely heavily on OEMs to maintain some of their assets and allow those vendors to connect remotely to their network without necessarily restricting the window in which they should/can access and sometimes by using software that is known to be potentially risky such as TeamViewer (for example), which is already rather precarious for the OT organizations.
On top of that, those OEMs, when they connect remotely to the assets – or even when they come directly on-site to do some maintenance – don’t necessarily try to mitigate some of those vulnerabilities published in CISA’s ICS advisories. They mostly ensure that the operational process is working correctly and that the assets are working as they’re supposed to be. This is why, on top of those five key remediation actions listed in the previous report, Verve’s research team recommends that asset owners and companies review their SLAs with those vendors and ensure that mitigating potentially critical vulnerabilities is part of the contract with those vendors. This should also be an essential criterion when looking at potential new partners/vendors.
To conclude, what will happen with 2023 remains to be seen, but one thing is sure: If we look at the numbers for 2022 and tendencies observed over the last few years, we can easily assume that the number of ICS advisories reported each month, and each year won’t go down. Therefore, organizations need a solid core of people, process, and technology regarding asset, vulnerability, and risk management.
Learn about the current ICS vulnerability landscape, where to focus your energy, and why ICS vulnerability management matters.
Learn MoreDownload the 2021-22 ICS Advisory Report to uncover our key findings and predictions for what's to come.
Learn MoreEnhance security with effective OT asset risk prioritization strategies and discover insights for optimized risk management. Read more now.
Learn More