Operational technology (OT) is facing increased scrutiny from the security research community—as well as from threat actors—in a race to find and fix vulnerabilities before they're exploited, and the safety and reliability of critical systems is put to the test.
To that end, I'm excited to share that the Claroty Research Team recently concluded an in-depth analysis of industrial control system (ICS) vulnerabilities disclosed and patched during the first half of the year. The results identify some trends of note to OT security practitioners and technology providers, and provide context to the risks faced by OT networks. They were published today in the inaugural Claroty Biannual ICS Risk & Vulnerability Report.
As a member of the Claroty Research Team and primary author of this report, I recognize the considerable challenges posed by ICS vulnerabilities and am proud to have supported research that aims to further illuminate these challenges and their implications for practitioners, vendors, and other researchers.
"There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible," said Amir Preminger, VP of Research at Claroty, who also contributed to the report.
The dataset making up our research included the 365 vulnerabilities in ICS products sold by 53 vendors published during the first half of the year by the National Vulnerability Database (NVD). We also examined 139 advisories published by the Industrial Control System Computer Emergency Response Team (ICS-CERT). More than 70% of those flaws are exploitable remotely over the network, reinforcing the notion that air-gapped OT networks are uncommon and these networks are no longer isolated from cybersecurity threats.
Compounding the risk posed by remotely exploitable vulnerabilities is the rapidly rising number of remote workers. OT operators have not been spared this phenomenon during the COVID-19 pandemic, and are connecting remotely to ICS networks at an unprecedented rate. This dynamic, in parallel with the rise in remotely exploitable bugs, should enhance the focus on OT vulnerabilities.
Our team this year, meanwhile, has disclosed 26 vulnerabilities that have been patched by vendors, largely those with massive install bases and that are important providers within industrial operations. Security flaws in engineering workstations and programmable logic controllers (PLCs) make up the majority of vulnerable product types that we discovered. Not only are engineering workstations and PLCs critical to industrial operations, but they are also appealing targets for adversaries.
Engineering workstations, for example, often connect to IT networks, and a successful exploit against vulnerable workstations give attackers an initial network foothold. PLCs, meanwhile, largely control physical processes within OT networks, and attacks against those units can affect the reliability of plant processes, for example.
Among the 26 vulnerabilities found by Claroty, more than 60% enable remote code execution against OT networks. Others allow for denial-of-service attacks, or power-over-ethernet attacks.
In all, there was a 10.3% year-over-year increase in vulnerabilities published by the NVD during the first half of the year compared to 2019; three-quarters of these vulnerabilities were assigned critical or high-severity ratings. There was also a 32.4% increase in the number of ICS-CERT advisories published so far this year compared to last year; third-party researchers accounted for more than 71% of ICS-CERT advisories attesting to their critical role in vetting ICS device security.
Today's report also enumerates the ICS vendors and products mentioned in NVD and ICS-CERT advisories, and breaks them down by critical industry and the impact of the respective vulnerabilities on each industry.
Claroty's Chief Product Officer, Grant Geyer, will also be providing a deeper look at the report's findings during a live webinar and Q&A session on August 27th. Register Here.
CWE-120 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW'):
A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer overflow, potentially causing denial-of-service condition.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-122 HEAP-BASED BUFFER OVERFLOW:
A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in the corruption of the heap memory, which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-420 UNPROTECTED ALTERNATE CHANNEL:
A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
