A new report published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed that over 400 vulnerabilities impacting industrial control systems were disclosed to the organization.
According to the Annual Vulnerability Coordination Report for the 2015 fiscal year, ICS-CERT published 197 advisories and issued 16 alerts – covering a total of 427 vulnerabilities.
The number is considerably higher compared to previous years, with 245 and 190 reported vulnerabilities in FY 2014 and FY 2013, respectively.
Despite the alarming increase in security flaws, ICS-CERT noted the severity of such vulnerabilities has gradually decreased over the years.
Using the industry standard Common Vulnerability Scoring System (CVSS), the organization gave the reported flaws a low, medium or high severity score.
The average CVSS scored reported to ICS-CERT dropped from 8.50 in FY 2010 to 6.85 at the end of FY 2015, said the organization.
The report added that majority of vulnerabilities affect products used in the energy, critical manufacturing, water and wastewater systems sectors.
ICS-CERT said the energy sector reported more than 800 flaws since 2011. The critical manufacturing industry followed with over 700 flaws, while the water and wastewater systems sectors reported more than 600 bugs.
The report also noted that more than half (52 percent) of all vulnerabilities reported to the organization came from improper input validation and permissions, privileges, as well as access controls.
“While this high percentage may indicate a pressing cybersecurity gap, it is also possible that it merely reflects the type of vulnerabilities targeted by researchers report to ICS-CERT,” the report said.
ICS-CERT urges organizations and asset owners to continue to monitor its advisories and alerts, and implement mitigation strategies.
“As the ICS community continues to adopt new technology, it is imperative that public and private partnerships continue to work toward the improved situational awareness of the community as a whole,” the report concluded.
For more information, read the full NCCIC/ICS-CERT FY 2015 Annual Vulnerability Coordination Report (PDF).