ICS Vulnerabilities: No Lockdown for ICS Hackers

Few of us will have fond memories of 2020, a transformative year that forced businesses worldwide to rethink and reprioritize remote workforces, their impact on productivity and business continuity, and the expanded attack surfaces ensuing from those changes. Opportunistic attackers went especially low throughout 2020, elevating extortion and ransomware attacks within their arsenals and targeting critical infrastructure and services, such as manufacturing, health care, electric and water utilities, and food and beverage. This dynamic created a race between attackers, researchers, and defenders to find exploitable vulnerabilities, especially in industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and operational technology (OT) protocols and networks.

These systems and communications protocols oversee industrial processes in dozens of industries, and any weak spot could be a beacon to threat actors keen on accessing the internals of an industrial enterprise and either disrupting or modifying processes central to the business.

Cybersecurity specialist Claroty has attempted to define the vulnerability landscape around industrial cybersecurity and presents a comprehensive look at ICS vulnerabilities disclosed publicly during the second half of 2020. Here are its most important findings.

ICS Security Research and Disclosure Trends

• During the second half of 2020, 449 vulnerabilities were disclosed affecting ICS products from 59 vendors. More than 70 percent of those flaws were assigned high or critical Common Vulnerability Scoring System (CVSS) ratings, down from more than 75 percent in the first half of 2020. CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities.
• The number of ICS vulnerabilities disclosed in 2020 increased by 32.89 percent compared to 2018 and 24.72 percent compared to 2019. The likely primary factors for the increase are heightened awareness of the risks posed by ICS vulnerabilities, and increased focus from researchers and vendors on identifying and remediating such vulnerabilities as effectively and efficiently as possible.
• Disclosures in the second half of 2020 showed that vulnerabilities in ICS products are most prevalent in the critical manufacturing, energy, water and wastewater, and commercial facilities sectors – all of which are designated as critical infrastructure sectors.
• Third-party companies were responsible for discovering 60.8 percent of the vulnerabilities, making them the most dominant research group in ICS security.

Among all third-parties, 22 were reporting their first disclosures, further evidence of growth in the ICS vulnerability research market.

Threats and Risks from ICS Vulnerabilities

• Vulnerabilities exploited through a network attack vector (that is, remotely exploitable) stood at 71.49 percent.
• Based on the Purdue model, both the basic control level, which includes all the controlling equipment (devices that open valves, move actuators, start motors, and so on), and supervisory control level, encompassing human/ machine interfaces and supervisory control systems (line control programmable logic controllers, engineering workstations) were affected by 46.32 percent of the vulnerabilities found. The Perdue model is a reference model that shows the interconnections and interdependencies of all the main components of a typical ICS.
• Multiple types of products operating at various OT Purdue model levels, IoT and network devices accounted for 14.7 percent of vulnerabilities found. This category mostly contains vulnerabilities in third-party components.
• A worrying 89.98 percent of vulnerabilities don’t require special conditions to exploit and an attacker can expect repeatable success every time.
• In 76.39 percent of the vulnerabilities, the attacker is unauthenticated prior to attack and doesn’t require any access or privileges to the target’s settings or files.
• If exploited successfully, 65.7 percent of the vulnerabilities can cause total loss of availability.

It’s important to remember that industrial control systems and other field devices have extensive shelf lives. Unlike IT software, applications and hardware appliances that have regular update and buying-turnover cycles, ICS gear, and operational technology are designed to last considerably longer. Much of this equipment runs critical infrastructure and manufacturing processes in industries that are pivotal to the global economy. Taking down an industrial control system or specific process oriented device for a firmware or software update is no simple feat in industries where uptime, reliability, and safety are paramount.

Digital Transformation and Convergence

Some of the increased focus on ICS vulnerabilities from security companies and independent researchers – not to mention threat actors – mirrors the convergence of IT and OT networks. These synergies will enhance the efficiency of industrial processes and save money across the board – but they can also increase the attack surface available to adversaries. Some attacks that originate on IT networks via well-known vectors (such as phishing, malware, or exploits of known flaws) may cross over to industrial networks. Engineering workstations, for example, traverse both networks and can be a linchpin that allows denial-of-service or ransomware attacks to a ect both IT systems and ICS devices, thus impacting industrial processes.

Weak spots are beacons to threat actors keen on disrupting central processes.
_{Chan Fradkin, Senior security research analyst at Claroty}

The second half of 2020 saw a significant number of remotely exploitable vulnerabilities reported to vendors and disclosed by organizations such as ICS-CERT, CERT@VDE, and Mitre. It is important for defenders to focus on comprehensive remote access solutions that are ICS and OT-specificand understand the communication protocols at play there. Network segmentation and network-based detection are fundamental to defense-in-depth and are also mandates to protect converged IT/OT networks.

Maturation of ICS Security Research

The steady growth of reported ICS vulnerabilities is noteworthy in terms of maturation but, currently, it’s also largely limited to three vendors: Schneider, Mitsubishi, and Siemens. A large majority of the products with disclosed and patched vulnerabilities in the second half of 2020 belong to those three leading vendors; the other vendors combined had fewer products a ffected by vulnerabilities. However, that doesn’t mean these vendors have cleaner, more secure products, it’s more of an issue of accessibility to equipment for a growing number of researchers.

Adversaries and Exploits

Threats continue to surface from nation-state actors (cyberattacks against the Israel Water Authority and the SolarWinds supply-chain attack) and cybercriminals (the inclusion of ICS processes in the Snake ransomware kill list). Breaching the corporate perimeter is the first hop on the Purdue model, and while network defenses may be enhanced, incidents such as the SolarWinds attack demonstrate the fragility of some perimeter-based defenses and the eventuality that these attacks will land on ICS and supervisory control and data acquisition (SCADA) equipment.

Compounding the risk is the fact that attacks against ICS devices and OT networks tend to be targeted. While ICS and SCADA vulnerability research is maturing, there are still decades-old security issues yet uncovered. For now, attackers may have an edge in exploiting them, because defenders are often hamstrung by uptime requirements and an increasing need for detection capabilities against exploitable flaws that could lead to process interruption or manipulation.

READ MORE ARTICLES