This is Team82’s fourth Biannual ICS Risk & Vulnerability Report, and since 2020, we’ve made it clear that vulnerabilities in automation products are as prevalent as they are elsewhere in the tech stack.
The number of vulnerabilities being disclosed, and the growing population of researchers looking for exploitable flaws in ICS and OT products has been on an upward trajectory for some time. What’s important now is to reinforce the importance of patching and mitigating vulnerabilities, how the industry is maturing to blunt the impact of software and firmware issues, and what you as decision-makers need to do to address this risk within the industrial enterprise.
This report is a reflection of those trends, and brings important context to the unique discipline of ICS vulnerability research and managing that risk. We hope it’s a useful resource for you.
Team82 shares some of the top highlights from this edition of the Biannual ICS Risk & Vulnerability Report: 2H 2021
Finding vulnerabilities is one thing; fixing them is quite another. Flaws in software are far less challenging to patch than in firmware, and this is reflected in Team82’s dataset for the 2H 2021 which shows three-quarters of fully remediated vulnerabilities are software based.
are software based. Emphasizing that given the comparative ease in patching software over firmware, defenders have the ability to prioritize patching within their environments
when exploited, could result in remote code execution or in denial-of-service
Not every ICS vulnerability can be immediately patched, as you’ll read in our report. It’s important to have foundational strategies in place to mitigate the effects of software and firmware vulnerabilities until a patch is available from a vendor. These are the top mitigation suggestions to counter threats over the network and even those targeting human frailty via social engineering.
Automation vendors such as Siemens AG, Schneider Electric, and Rockwell Automation, have mature internal product security teams who are finding and disclosing vulnerabilities at a sparkling rate, contributing to a safer ecosystem. Smaller vendors, meanwhile, are following their lead and Team82 has partnered with many to help improve not only their research efforts, but disclosure processes, and most importantly, testing remediations for efficacy.
In number of vulnerabilities disclosed through internal vendor research
In vulnerabilities disclosed
OT and ICS products have extended shelf lives. Products that weren’t built for internet connectivity are coming online, and many of those are no longer supported by vendors. This is something security analysts, asset owners, and operators must track: Here’s a sample of vulnerability data affecting end-of-life products.
Are exploitable remotely via a network attack vector
Are found in Level 1 – Basic Control devices such as: PLCs, RTUs ets.
When successfully exploited could lead to code execution or denial-of-service
Mapping some of Team82’s 2H 2021 vulnerability data against the Purdue Model and networking layers on the OSI model, you’ll notice the extensive exposure at the Operations Management and Supervisory Control levels. Attackers have an array of vulnerabilities exploitable over the network, requiring extra vigilance to defend against remote attacks. As for locally exploitable vulnerabilities, a large majority require user interaction for exploitation.
Require user interaction for exploitation showing the importance of awareness and protection against social engineering tactics among workers with access to critical assets.
Unauthenticated attackers, once they have a network foothold, can often move laterally—and quietly—on a network in order to steal data, launch ransomware, or access systems with privileged access. You can see here that an overwhelming majority of vulnerabilities require no action on the user’s part for exploitation.
meaning the attacker does not depend on the participation of a separate user or user-initiated process in order to exploit the vulnerability
There are more independent researchers and maturing internal vulnerability research teams emerging than ever before looking into industrial control systems. Those who are looking at control systems and OT protocols are looking for the highest impact flaws; defenders must take CVSS scoring into consideration, but it cannot be the only determining factor as to the risk to one’s environment.
reflecting the broader tendency among ICS security researchers to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction
Converged Extended IoT environments are moving to the cloud. How will you secure those connections?
Secure development and visibility into software and firmware components are game-changers.
Beware ransomware attacks as a cover for deeper intrusions against critical infrastructure
The number of vulnerabilities disclosed by Team82
The number of ICS vulnerabilities disclosed industry-wide
Percentage increase of vulnerabilities disclosed
Please complete the form to download the Report.