By Team82 | Nov. 17, 2021

Executive Summary

  • Finding industrial software, firmware, and protocol vulnerabilities has given asset owners unprecedented visibility into their risk exposure.
  • Now that networks largely running legacy code are briskly being connected to the internet, a proper understanding of risk posed by vulnerabilities is essential.
  • Team82 leads the way in finding vulnerabilities, recently disclosing its 250th vulnerability, a significant milestone a little more than two years into its existence.
  • Claroty’s research team has not only published 250 CVEs—all of which have been either patched or mitigated—but it has also informed vendors and asset owners about the need to prioritize cybersecurity.
  • Team82’s disclosures include novel attack techniques for ICS devices and OT networks, notably within the domains of cloud, remote access, and targeting of PLCs.
  • Our work has also included close collaboration with numerous vendors on not only vulnerability discovery and remediation, but also coordinating disclosure, and communicating safely with customers and the community.

Introduction

White-hat researchers, including Claroty’s Team82, have made relatively quick work of finding vulnerabilities in the software, firmware, and communication protocols governing devices that keep shop floors running, the lights on, the water clean, and fuel pumped from refineries to homes around the world.

With a wide swathe of old, legacy technology still running reliably on OT networks, finding bugs in easily accessible automation products and network protocols has been a necessary—and elementary—first step in elevating the cybersecurity of industrial enterprises worldwide.

Along with that research—which to date has resulted in a milestone 250 CVEs disclosed for Team82—comes a responsibility to educate asset owners about their risk exposure, and explain how newly connected ICS devices and OT networks are exposed to hackers like never before.

That has been Team82’s mission since its inception and today as we take this opportunity to recognize our achievement, it’s also important to recognize that OT cybersecurity research has miles to go before organizations can settle on a risk management strategy that adequately addresses today’s threats and exposures.

This report will reflect on Team82’s leadership in OT vulnerability research, and the initial inroads we’ve made helping vendors normalize vulnerability disclosures and coordination.

Transformation, Convergence—and Hackers

Team82’s focus on vulnerability discovery in ICS products filled a noticeable research gap within the domain. While it was widely understood that industrial networks were running largely on legacy equipment, some decades old, there were relatively few CVEs reported for software and firmware vulnerabilities.

It became clear that asset owners didn’t have full visibility into the cybersecurity risks they were trying to manage. Coupled with the growing number of converged IT/OT environments and the prioritization of digital transformation, Team82 had an opportunity not only to find and help fix a substantial number of unknown vulnerabilities, but also to educate a growing vendor and user market about the importance of secure development processes, and coordinated vulnerability disclosure and response.

Many of our engagements with automation partners such as Rockwell Automation and Siemens AG, and software vendors, including CODESYS, AUVESY, and others, have resulted in improvements to security response, enhancements to vulnerability triage, and coordination as to how vulnerabilities are addressed. This level of cooperation also extends into how details are shared with customers and the community in a safe, responsible manner that lowers risk for all involved.

One dynamic that has emerged in full force is the existence of coordinated disclosure processes within OT. Once solely the purview of IT realms, disclosure processes are now also central to the core of ICS and OT security. As businesses embrace digital transformation and bring OT security management under IT teams, vulnerability and patch management of industrial equipment has been prioritized like never before. And with good reason.

Many process control systems today have links to the internet making them a ripe and rich target for threat actors. As we saw with Colonial Pipeline and JBS Foods attacks, cyber criminals interested in profit are leveraging ransomware and other extortion-based attacks to infiltrate large companies willing to pay out hefty ransom demands.

Team82 has also discovered new attack concepts that have been addressed before they’ve been abused by threat actors. We can point to our report “Top-Down, Bottom-Up: Exploiting Vulnerabilities in the OT Cloud Era,” as one example. The relevance has never been more apparent as businesses use cloud-based management systems to manage and configure industrial control systems. In our report, we explained how an attacker can not only attack field devices by taking over a cloud-based management console, but also how attacks targeting PLC platforms can also be used to climb the ladder, so to speak, and take over the console.

From Team82’s dataset of 250 CVEs, we can see how dangerous the top five vulnerability classes can be to field devices. Not only do the most prevalent vulnerabilities Team82 uncovered lead to code execution or denial of service attacks, but application data may be modified or read in many cases. Below is a look at the top 10 vulnerabilities by impact:

The current environment puts the onus on defenders of industrial networks to be vigilant about exploitable vulnerabilities and also to find a way to cooperatively work alongside researchers who are digging into these critical and sensitive systems. The work researchers such as Claroty’s Team82 are doing takes on exponential importance not only because of the impact of cyberattacks on heavy industry, manufacturing, and critical infrastructure, but also because many of these are legacy systems that are difficult or impossible to patch, and run in environments where downtime is unacceptable.

ICS and OT cybersecurity is very much in a similar time continuum as IT was in the early 2000s when Windows emerged as king of the desktop, yet had little in the way of discernible and coordinated cybersecurity processes built in to address vulnerabilities. Attackers had a field day unleashing worms via connected Windows desktops and servers that caused severe interruptions to businesses worldwide. Eventually, introverted hackers found a way to emerge as profit-motivated criminals and exploit the landscape until Microsoft deployed Trustworthy Computing and extended the olive branch to white-hat researchers.

This should sound familiar to those intimately familiar with ICS and OT networks. Digital transformation and convergence have dragged industrial control systems into the world commodity attacks, and more than ever, researchers are a paramount piece of the cybersecurity puzzle. Large manufacturing organizations, food and beverage companies, and heavy industry cannot afford to have a contentious relationship with vulnerability researchers. The two sides are fighting the same fight and work toward similar goals, such as developing extensive vulnerability management programs that have at the forefront, standardized coordinated disclosure processes.

Finding, Fixing Bugs is One Thing, A Safer Market is Quite Another

This is the landscape under which Claroty’s Team82 research team has thrived. What began with a simple disclosure in a Schneider Electric engineering workstation software tool has evolved to the ICS security industry’s most prolific team. Team82 has disclosed 250 vulnerabilities to the leading providers in the ICS domain, including Rockwell Automation, Siemens, ABB, GE, and dozens of other companies, working closely with these leaders to patch vulnerabilities or provide mitigations whenever possible.

Research teams such as Claroty’s face an uphill battle given the sheer volume of legacy systems still in operation, and the lack of standardization between vendors and products that must communicate on shop floors. Combine that with the intolerance of downtime, and remediating software and firmware vulnerabilities is a demanding challenge.

Patching software is much more straightforward with shorter update and distribution cycles. Firmware updates are much more difficult because of the complexity involved in developing and implementing updates. Often, because firmware update cycles are so much longer than software, vendors are forced to provide temporary mitigation solutions until a fix is available. This extends the window of opportunity available to attackers to target and exploit these flaws.

In Team82’s Biannual ICS Risk & Vulnerability Report for the 1H 2021, 26% of vulnerabilities across the ICS domain were not patched, or only a partial remediation such as mitigation advice was made available. Of the vulnerabilities with no fix or partial remediation, 62% were firmware vulnerabilities. More than half of those flaws enabled either remote code execution or denial of service conditions, both of which are likely to shut down or affect the integrity of industrial processes. The chart below shows where vulnerabilities found by Team82 affect product families, especially on Levels 1-3 of the Purdue Model.

Nonetheless, Team82 has observed a steady transformation among its automation partners. Large organizations such as Rockwell and Siemens, for example, have mature vulnerability disclosure processes that not only include bug triage and remediation, but also close coordination with research teams such as Team82.

While industry standards—developed largely for IT vulnerability management—dictate that vendors have 90 days to respond with a patch or mitigation advice, that approach may not always be enforceable within OT. Business software has much quicker turnover cycles, while control systems and field devices were designed to last for decades. As a result, vendors scramble to address vulnerabilities in legacy systems, and are often forced to recommend mitigations and defense-in-depth strategies, such as network segmentation and secure remote access solutions, to make vulnerabilities more difficult to exploit.

This year, Team82 has enjoyed a number of successful coordinated disclosure efforts with affected vendors, including Rockwell, Siemens, and smaller partners such as AUVESY.

In each case, researchers not only securely shared vulnerability details with the vendor, but provided proof-of-concept code triggering the flaws, collaborated on fixes, and confirmed they were effective. In some cases, both sides worked on coordinated disclosures to industry groups such as ICS-CERT, customer advisories, and public notifications depending on the severity and impact of the flaw, and scope of affected customers.

This is maturity in a discipline that’s relatively new to industrial enterprises. For those that are lagging behind, the U.S. government may soon stir them to action. Prompted by the Colonial Pipeline and JBS Foods attacks, numerous bills have been introduced to Congress that essentially mandate reporting incidents—largely within a 72-hour timeframe—to CISA. CISA is likely to be established as the vulnerability clearinghouse for attacks and incidents affecting privately owned and publicly maintained critical infrastructure. Some bills also mandate that ransom payments be reported to the government in an effort to understand and curb the threat posted by extortion attacks to critical industries.

Team82 Vulnerability Data

The impact of ICS and OT vulnerability research is being felt across industries, primarily as it makes this a safer and more reliable domain for plants and critical infrastructure. We took a look at Team82’s vulnerability dataset, and wanted to illustrate some numbers and trends that decision makers can use in conversations with the board or champions within their four walls.

Since 2019, Team82 has disclosed 250 vulnerabilities, a milestone number, affecting 40 vendors.

Of those 250, close to 71% have a network attack vector, indicating they can be attacked remotely.

Decision makers require context as to the severity of exploitable vulnerabilities. Of the 250 vulnerabilities disclosed by Team82, eight of 10 are either rated critical or high severity.

Team82 has focused on some of the leading automation vendors, working closely with them to improve the safety and reliability of their products. The chart below illustrates the number of vulnerabilities in Team82’s dataset ranked by vendor; note that this should not indicate a lack of secure software or firmware development among these vendors. Instead, these numbers indicate a willingness to work with researchers, address vulnerabilities before they’re exploited, and improve all-around security response efforts.

Where Do We Go From Here?

Team82 will continue to lead the way in innovative ICS and OT cybersecurity research, and more importantly, contribute to the overall safety, resilience, and reliability of the market by ensuring that vulnerabilities are discovered, patched, or mitigated.

Our work doesn’t end in the lab, but also extends out to vendor partners, and asset owners. Vulnerability research and disclosures help vendors grow and mature product security and internal response procedures. Asset owners, meanwhile, get an accurate picture of their inventory from partners such as Claroty, and may prioritize how to best lock down patch and vulnerability management processes.

Two hundred and fifty disclosures is our first milestone. While it’s a number to be proud of, it’s just the beginning, and we grow our team and influence, and establish ourselves as a most trusted partner to the community.