One thing that's been established so far in 2021 is that industrial control system (ICS) and operational technology (OT) cybersecurity has gone mainstream. High-profile attacks such as the Oldsmar, Fla., water treatment facility and Colonial Pipeline made sure of that; not only were there the obvious impacts to system availability and service delivery, but the state of resilience among industrial enterprises was exposed, and the U.S. government has taken notice.
This is the context under which Claroty's Team82 today publishes its latest Biannual ICS Risk & Vulnerability Report. Available now, the report covers ICS and OT vulnerabilities disclosed during the first half of the year. It also identifies a number of trends to watch that have emerged in the wake of relentless extortion-style attacks and increased attention to ICS and OT vulnerabilities from researchers and threat actors alike.
This report continues to be one of the most important resources available to CISOs and IT and OT network managers, providing those decision makers with a comprehensive analysis of software and firmware vulnerabilities affecting industrial products. Leaders are urged to use this report to frame discussions around vulnerability management and resource prioritization as companies move forward converging IT and OT environments, bringing cloud to ICS and OT, and preparing for impending U.S. cyber legislation specific to critical infrastructure.
The report also demonstrates the work being done by Team82, the research leader among industrial cybersecurity companies. Team82 disclosed 70 vulnerabilities affecting 20 automation and technology vendors, surpassing 150 vulnerabilities disclosed since its inception.
While many of the numbers in the report are eye-opening and impressive, they do illustrate an ongoing trend since Claroty began publishing these twice-a-year snapshots: the quantity of vulnerabilities being disclosed—and patched or mitigated—continues on an upward trajectory. There are numerous factors behind that growth, starting with the fact that more researchers than ever are looking for bugs in ICS products and OT protocols (42 new researchers disclosed vulnerabilities in 1H 2021, and 20 vendors had public vulnerability disclosures for the first time). Also, organizations that have integrated OT management under IT or brought the cloud to OT are not only enjoying improved business efficiencies and analytics, but are expanding attack surfaces and exposing devices to the internet that were never meant to be connected.
Most importantly, we took a deep dive into patching and other remediations, including vendor-provided mitigations. It's no surprise that software vulnerabilities are being patched at a much higher rate than firmware bugs, but it's a truism among ICS and OT security circles that patching and product updates require downtime that's intolerable in many arenas. Therefore, mitigations carry significant weight for defenders. We measured the mitigations most recommended by vendors and industry CERTs, and network segmentation and secure remote access were far-and-away the top mitigation steps in 1H 2021.
As air-gapped OT networks become relics of the past, network segmentation takes on a prominent profile among mitigations. Techniques such as virtual zoning—zone-specific policies tailored to engineering or other process-oriented functions—will also ascend along segmentation as an indispensable mitigation.
Secure remote access, meanwhile, was a close second to segmentation as a top mitigation step. Proper access controls and privilege management can go a long way toward shutting down the next Oldsmar-type incident, and more importantly, keep profit-oriented actors from moving laterally through IT and OT networks, stealing data, and dropping malware such as ransomware.
Alarmingly, firmware fixes (either partial or no update at all) were scarce. Almost 62% of flaws in firmware had no fix or a partial remediation recommended, and most of those bugs were in products deployed at Level 1 of the Purdue Model, the Basic Control level.
Better news lies on the software side of the house, where almost 60% of vulnerabilities were remediated. This is no real surprise given the comparative ease in applying a software patch versus a firmware update in any environment.
And while we're on the Purdue Model, 23.55% of the vulnerabilities disclosed in 1H 2021 were found in products at Level 3, Operations Management, which includes Historian databases, OPC servers, and other critical machines. The next most affected Purdue Model level was Level 1, Basic Control where 15.23% of the vulnerabilities disclosed in 1H 2021 were found, followed by Level 2, Supervisory Control. This zone includes HMIs, SCADA systems, engineering workstations, and other machines that communicate directly with PLCs, RTUs, and controllers at Level 1.
Meanwhile, here's a sample of some other interesting data points from the report that paint the best picture of the ICS risk and vulnerability landscape in 1H 2021:
637: The number of ICS vulnerabilities disclosed in 1H 2021, almost 200 more than in our previous report covering 2H 2020
61.4%: The percentage of remotely exploitable ICS vulnerabilities
31.6%: The percentage of locally exploitable ICS vulnerabilities
26%: The percentage of ICS vulnerabilities that went unpatched, or for which only a partial remediation was suggested
65%: The percentage of ICS vulnerabilities likely to lead to total loss of availability
70: The number of vulnerabilities disclosed by Claroty's Team82 in 1H 2021; Claroty has surpassed 150 vulnerabilities disclosed since Team82's inception.
Download the report and spend some time looking at the trends and numbers. We'd love to hear your thoughts on the data and conclusions.
CWE-120 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW'):
A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer overflow, potentially causing denial-of-service condition.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-122 HEAP-BASED BUFFER OVERFLOW:
A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in the corruption of the heap memory, which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-420 UNPROTECTED ALTERNATE CHANNEL:
A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8