Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms
Reports published in the past couple of months by various industrial cybersecurity companies provide different numbers when it comes to the vulnerabilities discovered in industrial control system (ICS) products in 2022. SecurityWeek has analyzed the methodologies used by these companies in an effort to understand the discrepancies in numbers and trends.
Some companies have reported seeing an increase in the number of ICS vulnerabilities, while others claim there has been a drop. However, looking at their methodologies helps clear up any confusion and shows that the contradictory trends result from the use of different sources and different methods of counting security holes.
SecurityWeek’s analysis of the various reports shows that the number of ICS vulnerabilities has continued to grow, which is not surprising considering that security researchers are increasingly interested in this field and vendors are also stepping up their game and finding more flaws. But let’s take a look at why some headlines might suggest differently.
In its recent ICS/OT Cybersecurity Year in Review report, industrial cybersecurity firm Dragos reported seeing 2,170 CVEs in 2022, which represents a 27% increase compared to the previous year.
Dragos has reported the highest number of ICS vulnerabilities, which is explained by the fact that the company is tracking more sources than any other vendor. Its sources include advisories from the Cybersecurity and Infrastructure Security Agency (CISA), Germany’s [email protected] and Japan’s JP-CERT, as well as advisories from individual vendors and raw data from NIST. The company’s own researchers have also discovered vulnerabilities, which are included in the count.
“We include many individual vendors and research organizations. Several of these vendors do not coordinate with the main government-run CERTs, so we end up with CVEs that are not covered in other lists,” explained Reid Wightman, vulnerability analyst at Dragos.
While other ICS/OT security firms may not use as many data sources, they still reported seeing an increase in the number of vulnerabilities.
SynSaber, which only counts vulnerabilities from CISA’s ICS advisories, cataloged 1,342 vulnerabilities in 2022, compared to 1,191 in 2021 — excluding ICS medical vulnerabilities covered by CISA advisories.
Claroty recently reported that XIoT vulnerabilities were trending down in the past three quarters, with 819 issues disclosed in H2 2021, 747 in H1 2022, and 688 in H2 2022. However, these numbers include not just ICS/OT vulnerabilities, but also some medical, IT and IoT issues, as well as flaws affecting multiple types of products.
When it comes to ICS/OT vulnerabilities alone, Claroty cataloged a total of 940 in 2022, up from 826 in 2021.
Claroty told SecurityWeek that its Team82 unit has developed an automated collection and analysis tool that ingests vulnerability data from trusted open sources, including the National Vulnerability Database (NVD), CISA, [email protected], MITRE, and industrial automation vendors Schneider Electric and Siemens.
“We chose to only look at these publicly available sources in order to understand the market with an eagle-eye perspective. We wanted to look only at publicly disclosed vulnerabilities in relevant security advisories that usually reflect the vendor’s perspective on new vulnerabilities,” explained Claroty Team82 researcher Bar Ofner.
IBM recently reported that for the first time in two years, the number of ICS vulnerabilities has decreased, from 715 in 2021 to 457 in 2022. The numbers are far lower compared to what other vendors have reported.
However, IBM told SecurityWeek that the number actually represents the number of ICS advisories published by CISA, not individual security holes. Since many advisories describe more than one vulnerability, the actual number of ICS flaws is much higher.
Nozomi Networks’ recent OT/IoT Security Report, which provides an ICS vulnerability analysis based on CISA advisories, also shows a decrease. The company has cataloged 778 ICS vulnerabilities in 2022, down from 1,188 in 2021.
Nozomi told SecurityWeek that it made some changes to its methodology in the second half of 2022. Based on SecurityWeek’s observations, it’s possible that the company has started counting advisories rather than individual vulnerabilities described in each advisory, which would explain the significant drop.
The difference in the number of vulnerabilities reported by each of these companies can also come from the way vulnerabilities are counted. Some may decide to count every flaw mentioned in a CISA advisory, while others may not include issues that impact third-party components and are not specific to the ICS/OT product.
Related: Cyber Insights 2023 | ICS and Operational Technology
Related: ICS Vulnerabilities Chained for Deep Lateral Movement and Physical Damage
Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022
Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms