Connected IoT devices and converging operational technology (OT) under IT systems management are providing many benefits to industries. However, this technological momentum is being leveraged by threat actors as well, who are seeking to disrupt businesses and profit. Assets are exposed online, and along with them, all their insecurities: unpatched vulnerabilities, unsecured credentials, weak configurations, and the use of outdated industrial protocols.
Industrial control system (ICS) vulnerability disclosures are drastically increasing as high-profile cyber-attacks on critical infrastructure and industrial enterprises have elevated ICS security to a mainstream issue, according to the third Biannual ICS Risk & Vulnerability Report released by Claroty. The report shows a 41% increase in ICS vulnerabilities disclosed in the first half (1H) of 2021 compared to the previous six months, which is particularly significant given that in all of 2020 they increased by 25% from 2019 and 33% from 2018.
The report provides a comprehensive analysis of ICS vulnerabilities publicly disclosed during 1H 2021, including those found by Claroty’s research team, Team82, and those from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.
“As more enterprises are modernizing their industrial processes by connecting them to the cloud, they are also giving threat actors more ways to compromise industrial operations through ransomware and extortion attacks,” said Amir Preminger, vice president of research at Claroty. “The recent cyber-attacks on Colonial Pipeline, JBS Foods, and the Oldmsar, Florida water treatment facility have not only shown the fragility of critical infrastructure and manufacturing environments that are exposed to the internet but have also inspired more security researchers to focus their efforts on ICS specifically.”
Key research findings
It is useful to have a look at the research findings to understand the emerging threat landscape affecting ICS.
Increased vulnerabilities
During 1H 2021, 637 ICS vulnerabilities were published, affecting products sold by 76 vendors. That is a 41% increase from the previous semester, where 449 vulnerabilities were disclosed. 70.93% of the vulnerabilities are classified as high or critical, about on par with the 2H of 2020. 80.85% of vulnerabilities disclosed during 1H 2021 were discovered by sources external to the affected vendor, including several research organizations, such as third-party companies, independent researchers, and academics, among others.
Affected systems
The largest percentage of vulnerabilities disclosed during 1H 2021 affected Level 3 of the Purdue Model, Operations Management (23.55%), followed by the Level 1, Basic Control (15.23%) and Level 2, Supervisory Control (14.76%).
Operations Management can be a critical crossover point with converged IT networks. These systems include servers and databases vital to production workflow, or systems that collect data that will be fed to business systems to facilitate decision making. These business systems are increasingly operating in the cloud. At the Basic Control level are programmable logic controllers (PLCs), remote terminal units (RTUs), and other controllers that monitor Level 0 equipment such as pumps, actuators, sensors, and more. At the Supervisory Control level are human-machine interfaces (HMIs), SCADA software, and other tools that monitor and analyze Level 1 data.
Attack vectors
It’s critical that industries understand the attack vectors threat actors may take to compromise industrial networks. 61.38% of security vulnerabilities enable attacks from outside the IT or OT network, demonstrating the importance of securing remote connections and Internet of Things (IoT) and Industrial IoT (IIoT) devices.
On the other hand, 31.55% of the disclosed vulnerabilities are exploitable through local attack vectors, relying on user interaction to perform actions required to exploit these vulnerabilities, such as social engineering through spam or phishing. This reinforces the need for phishing and spam prevention, as well as awareness techniques that would help stem the tide of ransomware and other potentially devastating attacks.
What is worrying, though, is that for almost 90% of the vulnerabilities, the complexity of exploitation is considered low, meaning these vulnerabilities don’t require special conditions and an attacker can expect repeatable success every time. In addition, 74% of the disclosed vulnerabilities do not require any privileges for being exploited, meaning the attacker is unauthorized and does not require any access to settings or files. Finally, 66% do not require user interaction, such as opening an email, clicking on links or attachments, or sharing sensitive personal or financial information.
Hardening of ICS
Updating industrial control systems or SCADA software is often challenging because of uptime and availability of operational requirements. Firmware updates are also difficult because of the complexity involved in developing and implementing updates. These cycles can take significantly longer than traditional IT patch management, often making mitigations the only remediation option open to defenders.
As a result of this well-documented situation, ICS systems are often not hardened. Almost 26% of the 637 ICS vulnerabilities disclosed in 1H 2021 have no fix or only a partial remediation.
The lack of remediation against known vulnerabilities impacts greatly the availability and reliability of industrial processes. Of the vulnerabilities with no, or partial, remediation, 55% could result in remote code execution, and 48% could result in denial-of-service conditions when exploited successfully. Overall, for 65% of the vulnerabilities, there’s a high likelihood of a total loss of availability.
How to mitigate these vulnerabilities
Mitigations are often the only remediation option open to defenders given the software and firmware patching challenges. Claroty highlights that network segmentation and secure remote access are the top two steps and should be top considerations for defenders ahead of other options.
OT network segmentation is an important control as air-gapped connectivity is a relic of the past and network perimeters blur with enterprises moving data, applications, infrastructure, and services to the cloud. At the same time, proper access controls and privilege management are crucial as companies manage a long-term trend toward remote work. Secure remote access solutions must not only alert on suspicious activities, but also provide the capability to investigate specific sessions, either live or on-demand, and allow administrators to respond by either disconnecting a session or taking another action to contain or remediate the damage.
The first step to addressing these vulnerabilities is to assess your cybersecurity risk baseline. ITEGRITI offers a detailed and free Cybersecurity Risk Baseline assessment. Click here to complete the self-assessment.