Team82 Blog / 4 min read
Four reports and two years have passed since the first Claroty Biannual ICS Risk & Vulnerability Report, and in that time, we have established two constants: the number of vulnerabilities being disclosed continues to increase, and the growing population of researchers and product CIRT teams looking for exploitable flaws in ICS and OT products remain on an upward trajectory.
With those two trends all but certain to continue for the time being, it's time to readjust the industry's focus toward remediation and mitigation efforts. Finding and counting vulnerabilities has its place, but it's meaningless to users without reliable processes for addressing the risk these vulnerabilities pose to the industrial enterprise.
Today, Claroty's research arm Team82 releases its latest Biannual ICS Risk & Vulnerability Report, which provides decision-makers with a clear picture and understanding of the ICS and OT vulnerability landscape for the second half of 2021. While we cannot gloss over the 110% increase in the number of vulnerabilities disclosed during the latter half of last year (797 disclosed industry-wide), we believe it's important to highlight which vulnerabilities are being fully remediated by affected vendors, show you what are the best mitigations available when patches or updates are not immediately available, and how vendors are maturing their internal security practices to catch and fix bugs before attackers exploit them.
Let's look at some highlights from the report:
The Extended Internet of Things (XIoT) is an umbrella term for connected cyber-physical systems, encompassing not only operational technology, but also connected medical devices, and other IoT systems within the enterprise. Many of these were not designed to be securely connected online, yet that's not stopping the momentum of digital transformation within heavy industry, healthcare, and elsewhere.
Our dataset for this report demonstrates increased attention from vulnerability researchers into these sectors as well. Decision-makers needing justification for the prioritization of XIoT cybersecurity need look no further than the chart below, which illustrates how 34% of vulnerabilities disclosed in just the last six months of 2021 were found in software and firmware running within systems not designated as purely OT.
Team82 has found more than 260 vulnerabilities since its inception, doing so in a coordinated fashion with affected vendors to great success. Finding and counting vulnerabilities is important, but only if it leads to a mature, safe ecosystem that is able to patch bugs, distribute fixes to users, and those remediations are implemented in a timely manner.
Our dataset confirms that software remediations are relatively much simpler to develop for ICS products than firmware updates, which have much longer development and implementation cycles. That trend is reflected in our data as well, which reveals that 74% of fully remediated vulnerabilities are software-based.
Vulnerability disclosures aren't always accompanied by a software patch or firmware update; many times, for example, products are no longer supported by vendors and instead they urge users to upgrade equipment to current levels rather than supply further security updates. Couple this with an overwhelming number of legacy products still humming along supporting industrial processes worldwide, and companies' windows of exposure can be extensive. Have look at some data related to the 29 vulnerabilities disclosed in end-of-life products:
In those cases where patches are not, or won't be, available, affected vendors and industry groups such as ICS-CERT may recommend mitigations—many of which should be considered security best practices and fundamental security hygiene measures—to blunt the impact of software and firmware vulnerabilities until a fix is available. Here are the top mitigation options recommended by affected vendors and industry groups.
Here's another sign of a maturing vulnerability research ecosystem: Team82 tracks parties disclosing vulnerabilities, and third-party research organizations and independent researchers continue to report the most vulnerabilities to affected vendors. But we're also seeing a growing number of vulnerabilities being found and publicly disclosed by internal research teams, below.
Team82, meanwhile, has partnered with many vendors on research initiatives, including leading automation vendors such as SiemensAG, Schneider Electric, and Rockwell Automation, all of which have mature internal product security teams that are vigilant about finding and fixing vulnerabilities in their products. Many smaller vendors are following that lead, and realizing the importance of lessening their users' exposure to exploit attempts.
We urge you to download the report, share it with your technical colleagues and internal decision-makers. This is the best snapshot you'll find of the current XIoT vulnerability landscape, and an essential tool to help prioritize vulnerability remediation efforts, and risk mitigation within your company.
CWE-749 Exposed Dangerous Method or Function
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
CWE-288: Authentication Bypass Using an Alternative Path or Channel
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
The vulnerability is caused by the using deprecated deserialization functions and/or classes such as BinaryFormatter in the zenon internal graphic utility DLLs.
CVSS V3: 6.3
The vulnerability is caused by the default directory permissions for the Zenon Projects directory in the engineering studio default workspace. By allowing access to all the users on the system, the attacker may alter the zenon project itself to load arbitrary zenon projects in the zenon runtime.
CVSS V3: 5.9
Code Execution through overwriting service executable in utilities directory. The vulnerability is caused by the weakly configured default directory permission for the ABB Utilities directory.
CVSS V3: 7.0