2022 ICS Advisory Report

Preview:

Importantly, this analysis focuses on the specific ICS-advisories issued by CISA. These relate to hardware, firmware, and application software provided by ICS vendors to their critical infrastructure clients. Explicitly, this excludes the thousands of critical ICS vulnerabilities on the Windows OS and IT-type networking devices found in these same ICS environments. Those vulnerabilities are issued through traditional Vulnerability Management channels but have significant impact on ICS/OT environments.

Some ICS analysts make the argument that vulnerability and patch management is less important in OT than in IT because so few of the ICS advisories have a known exploit available. This is a misleading comment as the Windows, networking and other vulnerabilities on the HMIs, workstations, servers, switches and firewalls all have hundreds or thousands of vulnerabilities where a known exploit exists.  And in most ICS environments, traditional IT patch and vulnerability management solutions are not feasible. Accurate vulnerability identification and efficient patch management is critically important for ICS.

ICS vulnerabilities provided in those advisories do not provide a comprehensive threat landscape as some vulnerabilities that get discovered never get reported to CISA, but they allow companies to feed their own risk analysis, risk management or a high-level risk assessment.

In 2022, ICS-CERT issued 370 cybersecurity advisories available for public consumption on CISA’s website (Cybersecurity & Infrastructure Security Agency). Verve analyzed these advisories without any discrimination –  no advisory was rejected based on geography, company size, domain of operations, vendor, etc. The only advisories not included in the analysis were those related to medical devices (ICSMA) and those republished or reanalyzed by CISA. So only the advisories starting with ICSA-22-***-** were kept as part of the scope of this analysis. This report summarizes the conclusions, the observed trends, and a perspective on what 2022 might hold.

ICS-CERT released 370 ICS-related advisories spanning more than 85 vendors/OEMs, 1,225 CVEs containing references to different products and a matrix of affected versions.

ICS-CERT advisories were basically flat year over year (an increase of ~4.3% over 2021), with the number of CVEs growing by ~2.2%. This is the smallest growth observed by the Verve research team since we started doing this yearly analysis in 2019-20. Previous years all had change above 20 to 40% for both the number of advisories and the number of CVEs.

The OEMs/Companies most affected by the ICS advisories have stayed relatively consistent since 2020, with Mitsubishi Electric consistently part of the top 5 for the last few years and Siemens still being the OEM with the highest number of advisories to its name.