The Cybersecurity and Infrastructure Security Agency disclosed 681 security vulnerabilities impacting industrial control system products during the first six months of 2022, which is slightly more than the number of ICS flaws reported by the agency during the same period last year, according to SecurityWeek. SynSaber researchers noted that nearly 13% of the ICS vulnerabilities have not been patched and may never be addressed. Meanwhile, critical and high severity ratings have been given to 22% and 42% of the flaws, respectively, the study showed. However, such severity scores may be misleading, with organizations urged to identify possible exploitation within their environment in prioritizing patches. More than 50% of the flaws had to be addressed with software patches and the rest required either firmware or protocol updates, while nearly 40% of the disclosed flaws should be promptly remediated. "Merely looking at the sheer volume of reported CVEs may cause asset owners to feel overwhelmed, but the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, vs. which will remain 'forever-day vulnerabilities,' at least for the time being," said SynSaber.