More than 70% of industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely, reads the Biannual ICS Risk & Vulnerability Report released earlier this year by Claroty. This highlights the importance of protecting internet-facing ICS devices and remote access connections.

Attacks exploiting ICS vulnerabilities are on the rise. In September 2020, K-Electric, the sole electricity provider for Karachi, Pakistan, suffered a Netwalker ransomware attack that led to the disruption of billing and online services. Around that same time, researchers discovered six critical vulnerabilities in a third-party software component powering various industrial systems. According to the researchers, attackers could exploit these vulnerabilities to launch malicious attacks and deploy ransomware or disrupt critical systems.

These types of attacks did not emerge in a vacuum. Indeed, the COVID-19 pandemic played a big part in increasing the attack surface of industrial systems. The need to safely maintain business operations fostered the adoption of remote working schemes. In many cases, the rapid increase in remote workers created security gaps and an expanded attack surface. Cyber criminals quickly realized that they could use remote workers as an easy exploit path to enter enterprises’ networks. With IT and OT networks converging, industrial enterprises and critical infrastructure organizations found themselves vulnerable to exploits involving unpatched virtual private networks (VPN), legacy Windows vulnerabilities and compromised credentials.

The objective of the report was to provide valuable insight into the ICS risk and vulnerability landscape, the challenges it poses to OT security practitioners and what conclusions can be drawn from publicly available data. The report includes the assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the first half of 2020, affecting 53 vendors.

Here are some key findings from the report.

The identified ICS vulnerabilities were categorized as either high or critical because of the security weaknesses, or Common Weakness Enumerations (CWEs), that researchers documented in them. In fact, the top five most prevalent CWEs ranked highly on the MITRE 2019 CWE Top 25 Most Dangerous Software Errors list by being relatively easy to exploit and by enabling adversaries to cause serious damage.

The respective CWEs were the following:

  1. CWE-787, Out-of-bounds Write
  2. CWE-20, Improper Input Validation
  3. CWE-79, Improper Neutralization of Input During Web Page Generation
  4. CWE-78, Improper Neutralization of Special Elements used in an OS Command
  5. CWE-22, Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Engineering workstations (EWS) and programmable logic controllers (PLCs) comprised the majority of the ICS products affected by the 26 vulnerabilities assessed in the report. EWS are often interconnected to IT networks. They also have access to the shop floor and the PLCs that control physical processes within OT networks. Combined with the fact that EWS are generally considered to be prone to vulnerabilities, it’s easy to see how adversaries would perceive these targets as both desirable and viable for the purpose of manipulating or compromising physical processes.

Energy, critical manufacturing and water & wastewater were the most impacted industrial sectors by vulnerabilities included in ICS-CERT advisories during the first half of 2020. Compared to 2019, the water & wastewater sector experienced a 122.1% increase in ICS-CERT vulnerabilities, while the critical manufacturing and energy sectors experienced increases of 87.3% and 58.9%, respectively.

An alarming fact was that ICS-CERT published one vulnerability impacting the nuclear reactors materials, and waste sector. All these sectors are national critical infrastructures and are the backbone of every economy. The seriousness of these vulnerabilities is easily understood. Exploiting any of these critical vulnerabilities could cause severe disruptions, which might lead to deaths and environmental damage.

According to the report, more than 70% of the 365 ICS vulnerabilities published by the NVD could be exploited remotely via a network attack vector. Protecting internet-facing ICS systems and connections are of great importance to preserve the safety and reliability of industrial operations. The rapid shift to a remote workforce and the increased reliance on remote access connections in highly critical ICS networks further underscores this point.

It is also interesting to note that the identified vulnerabilities could be exploited by local actors involving social engineering tactics where employees are manipulated into disclosing credentials or sensitive data. Awareness and protection against these attack vectors are the best way to defend and protect against them.

Claroty reported that remote code execution (RCE) was the most common ‘potential impact’ and accounted for 49% of the vulnerabilities uncovered in the report. This was followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%). Any of these potential impacts could seriously compromise the integrity and availability of impacted systems. Hence the ongoing efforts of security researchers to identify the presence of vulnerabilities within ICS devices.

The Claroty report recommends the following precautionary measures and controls to help minimize the risks and mitigate the impacts of vulnerabilities in the industrial threat landscape.

Protecting remote access connections is critical, especially considering the expansion of remote workforces fueled by efforts to limit the spread of the COVID-19 pandemic. Enhanced protection can be achieved by:

  • Patching VPN solutions;
  • Monitoring remote connections, particularly those to OT networks and ICS devices; and
  • Enforcing granular user-access permissions and multi-factor authentication.

Remote working has increased the reliance of the entire workforce on email, which has increased the threat of phishing and spam attacks. Here’s what can be done to alleviate the problem:

  • Do not open emails or download software from untrusted sources.
  • Do not click on links or attachments in emails that come from unknown senders.
  • Always verify the email sender’s email address, name and domain.
  • Back up important files frequently and store them separately from the main system.
  • Protect devices using antivirus, anti-spam and anti-spyware software.

Poorly protected internet-facing ICS systems act like trojan horses, thereby making the lives of attackers much easier. You can add more obstacles in their way if you:

  • Ensure all internet-connected ICS devices are password-protected and that strict password hygiene is enforced;
  • Implement granular role- and policy-based access controls for all ICS devices and connected systems;
  • Secure all remote access connections using mechanisms such as encryption, access control lists and appropriate remote access technologies suitable for OT networks; as well as
  • Adhere to OT security best practices such as maintaining an accurate asset inventory, properly segmenting OT networks, implementing continuous threat monitoring and maintaining comprehensive risk and vulnerability management practices.

Cybersecurity risk is real. While you cannot protect against everything, a risk-based strategy supported by internal controls to measure, manage and report ongoing security health can help you mitigate business critical risks. ITEGRITI is the consultant you are looking for to defend against an increasing threat landscape. Contact us to learn more about our services.