Security News > 2023 > January > Extent of reported CVEs overwhelms critical infrastructure asset owners

The sheer volume of reported ICS vulnerabilities and CVEs may cause critical infrastructure asset owners to feel overwhelmed, or need help knowing where to begin, according to SynSaber.

There is a deluge of vulnerability disclosures in industrial control systems, often creating anxiety as the security community attempts to patch or remediate each point of exposure - an impossible feat," said Ron Fabela, CTO of SynSaber.

"Our goal with this report is to analyze the 920+ CVEs, and gather insights for the ICS industry regarding which CVEs should be taken most seriously and which can be accepted as a part of the organization's risk management strategy," added Fabela.

Key findings For the CVEs reported in the second half of 2022, 35% have no patch or remediation currently available from the vendor While 56% of the CVEs have been reported by the Original Equipment Manufacturer, 43% have been submitted by security vendors and independent researchers 28% of the CVEs require local or physical access to the system in order to exploit Of the CVEs reported in the second half of 2022, 22% can and should be prioritized and addressed first.

The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease.

It's important for asset owners and those defending critical infrastructure to understand when remediations are available and how they should be implemented and prioritized.

News URL

https://www.helpnetsecurity.com/2023/01/23/ics-vulnerabilities-cves/