In his article “Memory Safety Vulnerabilities Continue to Plague ICS: Here’s What to Do About It,” Shane Fry, CTO of RunSafe Security, addresses the persistent issue of memory safety vulnerabilities in Industrial Control Systems (ICS). Despite decades of efforts to mitigate them, the number of vulnerabilities has surged, with over 3,000 CVEs reported in 2022 alone. These vulnerabilities, especially prevalent due to the use of C/C++ languages, threaten critical infrastructure and demand immediate attention.
Shane highlights the growing concern from government agencies like the NSA and CISA, as well as EU regulations pushing for secure-by-design principles and the use of Software Bills of Materials (SBOMs). However, the transition to memory-safe languages faces challenges such as limited ecosystem support, a shortage of skilled developers, and the time-intensive process of migration.
To address the issue now, Shane advocates for implementing Runtime Application Self Protection (RASP) in ICS environments. RASP can harden software binaries without rewriting code, actively defending systems from memory safety exploits while introducing minimal overhead.