Four reports and two years have passed since the first Claroty Biannual ICS Risk & Vulnerability Report, and in that time, we have established two constants: the number of vulnerabilities being disclosed continues to increase, and the growing population of researchers and product CIRT teams looking for exploitable flaws in ICS and OT products remain on an upward trajectory.
With those two trends all but certain to continue for the time being, it's time to readjust the industry's focus toward remediation and mitigation efforts. Finding and counting vulnerabilities has its place, but it's meaningless to users without reliable processes for addressing the risk these vulnerabilities pose to the industrial enterprise.
Today, Claroty's research arm Team82 releases its latest Biannual ICS Risk & Vulnerability Report, which provides decision-makers with a clear picture and understanding of the ICS and OT vulnerability landscape for the second half of 2021. While we cannot gloss over the 110% increase in the number of vulnerabilities disclosed during the latter half of last year (797 disclosed industry-wide), we believe it's important to highlight which vulnerabilities are being fully remediated by affected vendors, show you what are the best mitigations available when patches or updates are not immediately available, and how vendors are maturing their internal security practices to catch and fix bugs before attackers exploit them.
Let's look at some highlights from the report:
The Extended Internet of Things (XIoT) is an umbrella term for connected cyber-physical systems, encompassing not only operational technology, but also connected medical devices, and other IoT systems within the enterprise. Many of these were not designed to be securely connected online, yet that's not stopping the momentum of digital transformation within heavy industry, healthcare, and elsewhere.
Our dataset for this report demonstrates increased attention from vulnerability researchers into these sectors as well. Decision-makers needing justification for the prioritization of XIoT cybersecurity need look no further than the chart below, which illustrates how 34% of vulnerabilities disclosed in just the last six months of 2021 were found in software and firmware running within systems not designated as purely OT.
Team82 has found more than 260 vulnerabilities since its inception, doing so in a coordinated fashion with affected vendors to great success. Finding and counting vulnerabilities is important, but only if it leads to a mature, safe ecosystem that is able to patch bugs, distribute fixes to users, and those remediations are implemented in a timely manner.
Our dataset confirms that software remediations are relatively much simpler to develop for ICS products than firmware updates, which have much longer development and implementation cycles. That trend is reflected in our data as well, which reveals that 74% of fully remediated vulnerabilities are software-based.
Vulnerability disclosures aren't always accompanied by a software patch or firmware update; many times, for example, products are no longer supported by vendors and instead they urge users to upgrade equipment to current levels rather than supply further security updates. Couple this with an overwhelming number of legacy products still humming along supporting industrial processes worldwide, and companies' windows of exposure can be extensive. Have look at some data related to the 29 vulnerabilities disclosed in end-of-life products:
In those cases where patches are not, or won't be, available, affected vendors and industry groups such as ICS-CERT may recommend mitigations—many of which should be considered security best practices and fundamental security hygiene measures—to blunt the impact of software and firmware vulnerabilities until a fix is available. Here are the top mitigation options recommended by affected vendors and industry groups.
Here's another sign of a maturing vulnerability research ecosystem: Team82 tracks parties disclosing vulnerabilities, and third-party research organizations and independent researchers continue to report the most vulnerabilities to affected vendors. But we're also seeing a growing number of vulnerabilities being found and publicly disclosed by internal research teams, below.
Team82, meanwhile, has partnered with many vendors on research initiatives, including leading automation vendors such as SiemensAG, Schneider Electric, and Rockwell Automation, all of which have mature internal product security teams that are vigilant about finding and fixing vulnerabilities in their products. Many smaller vendors are following that lead, and realizing the importance of lessening their users' exposure to exploit attempts.
We urge you to download the report, share it with your technical colleagues and internal decision-makers. This is the best snapshot you'll find of the current XIoT vulnerability landscape, and an essential tool to help prioritize vulnerability remediation efforts, and risk mitigation within your company.
CWE-120 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW'):
A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer overflow, potentially causing denial-of-service condition.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-122 HEAP-BASED BUFFER OVERFLOW:
A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in the corruption of the heap memory, which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-420 UNPROTECTED ALTERNATE CHANNEL:
A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8