Claroty Team82
Biannual ICS Risk &
Vulnerability Report: 2H 2021
The industry’s foremost snapshot of vulnerabilities disclosed in automation products and OT networks.
Download ReportIntroduction
This is Team82’s fourth Biannual ICS Risk & Vulnerability Report, and since 2020, we’ve made it clear that vulnerabilities in automation products are as prevalent as they are elsewhere in the tech stack. The number of vulnerabilities being disclosed, and the growing population of researchers looking for exploitable flaws in ICS and OT products has been on an upward trajectory for some time. What’s important now is to reinforce the importance of patching and mitigating vulnerabilities, how the industry is maturing to blunt the impact of software and firmware issues, and what you as decision-makers need to do to address this risk within the industrial enterprise.
This report is a reflection of those trends, and brings important context to the unique discipline of ICS vulnerability research and managing that risk. We hope it’s a useful resource for you.
What’s Inside
Remediation Matters
Finding vulnerabilities is one thing; fixing them is quite another. Flaws in software are far less challenging to patch than in firmware, and this is reflected in Team82’s dataset for the 2H 2021 which shows three-quarters of fully remediated vulnerabilities are software based.
Of fully remediated vulnerabilities
are software based. Emphasizing that given the comparative ease in patching software over firmware, defenders have the ability to prioritize patching within their environments
Of partially or not remediated vulnerabilities
when exploited, could result in remote code execution or in denial-of-service
When You Can’t Patch, Mitigate
Not every ICS vulnerability can be immediately patched, as you’ll read in our report. It’s important to have foundational strategies in place to mitigate the effects of software and firmware vulnerabilities until a patch is available from a vendor. These are the top mitigation suggestions to counter threats over the network and even those targeting human frailty via social engineering.
Internal Vendor Research for the Win
Automation vendors such as Siemens AG, Schneider Electric, and Rockwell Automation, have mature internal product security teams who are finding and disclosing vulnerabilities at a sparkling rate, contributing to a safer ecosystem. Smaller vendors, meanwhile, are following their lead and Team82 has partnered with many to help improve not only their research efforts, but disclosure processes, and most importantly, testing remediations for efficacy.
Increase
In number of vulnerabilities disclosed through internal vendor research
Increase
In vulnerabilities disclosed
A Legacy Problem
OT and ICS products have extended shelf lives. Products that weren’t built for internet connectivity are coming online, and many of those are no longer supported by vendors. This is something security analysts, asset owners, and operators must track: Here’s a sample of vulnerability data affecting end-of-life products.
Of vulnerabilities affecting end-of-life
Are exploitable remotely via a network attack vector
Of vulnerabilities affecting end-of-life
Are found in Level 1 – Basic Control devices such as: PLCs, RTUs ets.
Of vulnerabilities affecting end-of-life
When successfully exploited could lead to code execution or denial-of-service
Product Families at Risk
Mapping some of Team82’s 2H 2021 vulnerability data against the Purdue Model and networking layers on the OSI model, you’ll notice the extensive exposure at the Operations Management and Supervisory Control levels. Attackers have an array of vulnerabilities exploitable over the network, requiring extra vigilance to defend against remote attacks. As for locally exploitable vulnerabilities, a large majority require user interaction for exploitation.
Of Operations Management disclosures via a local attack vector
Require user interaction for exploitation showing the importance of awareness and protection against social engineering tactics among workers with access to critical assets.
Users Not Required
Unauthenticated attackers, once they have a network foothold, can often move laterally—and quietly—on a network in order to steal data, launch ransomware, or access systems with privileged access. You can see here that an overwhelming majority of vulnerabilities require no action on the user’s part for exploitation.
Of vulnerabilities require no user interaction
meaning the attacker does not depend on the participation of a separate user or user-initiated process in order to exploit the vulnerability
Vulnerability Scoring
There are more independent researchers and maturing internal vulnerability research teams emerging than ever before looking into industrial control systems. Those who are looking at control systems and OT protocols are looking for the highest impact flaws; defenders must take CVSS scoring into consideration, but it cannot be the only determining factor as to the risk to one’s environment.
Of vulnerabilities are classified as high or critical
reflecting the broader tendency among ICS security researchers to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction
3 Trends to Watch
Cloudy Forecast: Securing XIoT
Converged Extended IoT environments are moving to the cloud. How will you secure those connections?
A Fragile Supply Chain, and How SBOMs Help
Secure development and visibility into software and firmware components are game-changers.
A New Ransomware
Front
Beware ransomware attacks as a cover for deeper intrusions against critical infrastructure
At a Glance
The number of vulnerabilities disclosed by Team82
The number of ICS vulnerabilities disclosed industry-wide
Percentage increase of vulnerabilities disclosed