Q&A: Team82’s Chen Fradkin on the ICS Risk and Vulnerability Landscape

Last month, Chen Fradkin—Claroty Team82 researcher and author of the latest Biannual ICS Risk & Vulnerability Report: 1H 2021—hosted a webinar to present some of the key findings. Chen addressed a range of topics behind the numbers including trends in vulnerabilities, attack vectors, and affected products. She also suggested mitigation and remediation strategies for CISOs to consider and provided insights into what to expect through the rest of 2021 and into 2022.

Chen Fradkin—Claroty Team82 researcher and author of the latest Biannual ICS Risk & Vulnerability Report: 1H 2021.

We had a chance to sit down with Chen to discuss some of the highlights from the webinar.

Q. There's no shortage of data in this report, but what do you think are a few important numbers for CISOs and OT security managers and operators to know?

To begin with, the report was based on 637 ICS vulnerabilities disclosed during 1H 2021. Of these, 70 were discovered and disclosed by Claroty, with the remainder collected from multiple public sources including third-party companies, independent researchers, and academics. There were 76 ICS vendors affected.

While the number of ICS vulnerabilities disclosed in 1H 2021 has increased nearly 42% compared to 2H 2020, it's important to understand the factors driving the increase in disclosed vulnerabilities. These include the rising awareness of risks posed from ICS vulnerabilities and the potential for damage from these attacks are driving more researchers and vendors to look for them. Also, keep in mind that not all of these vulnerabilities are new. Some have existed and have been exposed to threat actors who have significant resources and the ability to exploit them if they choose.

Q. What are some of the trends that were revealed with respect to attack vectors?

The network attack vector is still the most common and shows the importance of protecting remote access connections and internet-facing devices, especially with the rise in IT/OT convergence and connectivity of these internal networks and devices to the internet. However, since the previous report we are also seeing a notable rise in vulnerabilities exploitable through local attack vectors (from 18.93% to 31.55%). For nearly 73% of these vulnerabilities, the attacker relies of some sort of user interaction, such as social engineering through spam or phishing for their exploit. These techniques are particularly dominant at the Operations Management Level 3 and Supervisory Control Level 2 of the Purdue Model. This reinforces the importance of protecting against social engineering tactics among workers with access to critical assets, particularly given two major instances of ransomware in the past six months in operational organizations – Colonial Pipeline and JBS Foods.

Q. What products were most affected?

Our research reveals that the most affected products are at the Operations Management Level 3, accounting for nearly 24% of the vulnerabilities. These include servers and databases which can be critical crossover points with converged IT/OT networks and explains why many vulnerabilities affect software components. An additional 30% of vulnerabilities impact products at the Basic Control Level 1 and Supervisory Control Level 2, combined. Level 1 products include programmable logic controllers (PLCs), remote terminal units (RTUs), and other controllers. For Level 2 products we're talking about human-machine interfaces (HMIs) and SCADA software, for example. At these lower levels, attacks can impact the processes themselves which is why specific devices within specific environments of the OT network are very attractive targets.

Q. What does this mean in terms of mitigation and remediation strategies?

For the first time, our report included a section on mitigation and remediation. We analyzed data gathered from vulnerability disclosures and vendors' responses to find a few important takeaways and next steps.

First, we discovered that approximately 26% of vulnerabilities disclosed have either no available fix or just a partial remediation, and 6.5% of vulnerabilities affect end-of-life products. In both cases, the only solution is to mitigate, if possible, until you can replace the device. Additionally, in contrast to software updates and patches which are easier to implement, firmware updates can take months and sometimes years to develop and distribute. To address firmware vulnerabilities, defenders mostly depend on mitigations as the more immediate, if not only, solution to protect their networks.

Understanding that most defenders rely on mitigations, we looked at which mitigations are more commonly recommended within disclosures, and which are more often or less often implemented and why. The results show that while actionable recommendations like blocking specific ports or updating outdated protocols are important, foundational practices must be in place before those recommendations are even effective. You can't block a specific port without having segmentation, for example. And with the rise in ransomware attacks, secure remote access and protection against phishing are also important. To ensure the effectiveness of the steps recommended in disclosures – like blocking traffic, protocols or ports – defenders of OT networks must first have a defense-in-depth strategy in place in which they layer a variety of security measures. You can't have one without the other.

Q. What about the 74% of vulnerabilities that do have a fix or patch available?

Looking at cases where there are fixes, the majority of updates (59.5%) are software fixes. This ties back to the earlier point that many of the vulnerabilities affecting Level 3 products like servers and databases and software updates and patches are easier to implement. Defenders do have the ability to prioritize patching within their networks.

With respect to firmware remediation solutions, fewer are available. Those that do exist are largely for network devices and Level 1 Basic Control devices (PLCs and RTUs). While it is difficult to update a PLC or RTU, updating a network device like a switch is easier. This demonstrates that even in firmware some prioritization of updates is possible.

So, when thinking of a remediation strategy one general approach could be to prioritize software because those patches and fixes are easier to implement. Within firmware, prioritize certain network equipment over other equipment. And when looking at vulnerabilities that impact PLCs or RTUs, one approach may be to add a third-party solution as a mitigation step.

In the webinar, Chen discusses each of these areas in greater detail and covers additional topics, including the potential need to rethink disclosure deadlines and trends to watch for throughout the remainder of 2021 and into 2022.

Click here to watch the on-demand webinar replay to hear the full discussion, and click here to download the report.