Reported ICS Vulnerabilities on Rise

Tuesday, October 4, 2016 @ 06:10 PM gHale

There were over 400 vulnerabilities covered by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) last year.

ICS-CERT published 197 advisories and 16 alerts in 2015, which total 427 vulnerabilities, according to the NCCIC/ICS-CERT FY 2015 Annual Vulnerability Coordination Report. This is a big jump from the previous year when there were 245 issues reported.

DHS Releases Latest CSET Tool
How to Improve ICS Security
DHS Looks to Fund CoE
Federal Cyber Incident Response Plan

There was also a hike in the percentage of vulnerabilities coordinated with ICS-CERT — only 7 percent of these flaws ended up disclosed without allowing the vendor to release a patch, compared to nearly 20 percent in 2014.

Forty-three percent of the security holes reported last year ended up rated high severity, a drop compared to the previous year, when more than 70 percent of flaws were high severity, according to ICS-CERT. The average CVSS scores gradually decreased over the past years, from 8.55 in 2010 to 6.85 in 2015.

As for the most affected industries, the energy sector tops the chart, with more than 800 vulnerabilities reported since 2011, followed by critical manufacturing, with over 700 flaws. The water and wastewater systems sector also had over 600 bugs.

The most common types of vulnerabilities discovered in FY 2015 ended up related to permissions, privileges and access control (27 percent), improper input validation (25 percent), credentials management (19 percent), improper control of a resource (12 percent), cryptography (11 percent) and poor quality code (6 percent).

Permissions, privileges, and access control topped the list of issues reported to ICS-CERT at 27 percent, followed by improper input validation vulnerabilities at 25 percent, followed by credentials management at 19 percent.

Click here to download the entire report.