FireEye’s latest report highlights trends in Industrial Control Systems

8 years ago

FireEye released a report titled Overload: Critical Lessons from 15 Years of ICS Vulnerabilities, which highlights trends in total Industrial Control Systems vulnerability disclosures, patch availability, vulnerable device type and other vulnerabilities exploited by threat actors.

Since 2000, FireEye iSIGHT Intelligence has identified nearly 1,600 publicly disclosed ICS vulnerabilities. The report assesses the depth and breadth of these vulnerabilities in the ICS landscape and how threat actors try to exploit them. To make matters worse, many of these vulnerabilities are left unpatched and some are simply beyond restoration due to outdated technology, thus increasing the attack surface for potential adversaries. In fact, nation-state cyber threat actors have exploited five of these vulnerabilities in attacks since 2009.

Key findings by FireEye include: ICS vulnerability disclosures surged to 49% between 2014 and 2015, 90 percent of vulnerabilities were disclosed after Stuxnet emerged in media, 123 vendors are affected by vulnerability disclosures, 33 percent of vulnerabilities encountered by industrial environments had no vendor fixes.

In the past several years, a flood of vulnerabilities has hit industrial control systems (ICS) – the technological backbone of electric grids, water supplies, and production lines. Unfortunately, security personnel from manufacturing, energy, water and other industries are often unaware of their own control system assets, not to mention the vulnerabilities that affect them.