Team82 Blog / 5 min read
One thing that's been established so far in 2021 is that industrial control system (ICS) and operational technology (OT) cybersecurity has gone mainstream. High-profile attacks such as the Oldsmar, Fla., water treatment facility and Colonial Pipeline made sure of that; not only were there the obvious impacts to system availability and service delivery, but the state of resilience among industrial enterprises was exposed, and the U.S. government has taken notice.
This is the context under which Claroty's Team82 today publishes its latest Biannual ICS Risk & Vulnerability Report. Available now, the report covers ICS and OT vulnerabilities disclosed during the first half of the year. It also identifies a number of trends to watch that have emerged in the wake of relentless extortion-style attacks and increased attention to ICS and OT vulnerabilities from researchers and threat actors alike.
This report continues to be one of the most important resources available to CISOs and IT and OT network managers, providing those decision makers with a comprehensive analysis of software and firmware vulnerabilities affecting industrial products. Leaders are urged to use this report to frame discussions around vulnerability management and resource prioritization as companies move forward converging IT and OT environments, bringing cloud to ICS and OT, and preparing for impending U.S. cyber legislation specific to critical infrastructure.
The report also demonstrates the work being done by Team82, the research leader among industrial cybersecurity companies. Team82 disclosed 70 vulnerabilities affecting 20 automation and technology vendors, surpassing 150 vulnerabilities disclosed since its inception.
While many of the numbers in the report are eye-opening and impressive, they do illustrate an ongoing trend since Claroty began publishing these twice-a-year snapshots: the quantity of vulnerabilities being disclosed—and patched or mitigated—continues on an upward trajectory. There are numerous factors behind that growth, starting with the fact that more researchers than ever are looking for bugs in ICS products and OT protocols (42 new researchers disclosed vulnerabilities in 1H 2021, and 20 vendors had public vulnerability disclosures for the first time). Also, organizations that have integrated OT management under IT or brought the cloud to OT are not only enjoying improved business efficiencies and analytics, but are expanding attack surfaces and exposing devices to the internet that were never meant to be connected.
Most importantly, we took a deep dive into patching and other remediations, including vendor-provided mitigations. It's no surprise that software vulnerabilities are being patched at a much higher rate than firmware bugs, but it's a truism among ICS and OT security circles that patching and product updates require downtime that's intolerable in many arenas. Therefore, mitigations carry significant weight for defenders. We measured the mitigations most recommended by vendors and industry CERTs, and network segmentation and secure remote access were far-and-away the top mitigation steps in 1H 2021.
As air-gapped OT networks become relics of the past, network segmentation takes on a prominent profile among mitigations. Techniques such as virtual zoning—zone-specific policies tailored to engineering or other process-oriented functions—will also ascend along segmentation as an indispensable mitigation.
Secure remote access, meanwhile, was a close second to segmentation as a top mitigation step. Proper access controls and privilege management can go a long way toward shutting down the next Oldsmar-type incident, and more importantly, keep profit-oriented actors from moving laterally through IT and OT networks, stealing data, and dropping malware such as ransomware.
Alarmingly, firmware fixes (either partial or no update at all) were scarce. Almost 62% of flaws in firmware had no fix or a partial remediation recommended, and most of those bugs were in products deployed at Level 1 of the Purdue Model, the Basic Control level.
Better news lies on the software side of the house, where almost 60% of vulnerabilities were remediated. This is no real surprise given the comparative ease in applying a software patch versus a firmware update in any environment.
And while we're on the Purdue Model, 23.55% of the vulnerabilities disclosed in 1H 2021 were found in products at Level 3, Operations Management, which includes Historian databases, OPC servers, and other critical machines. The next most affected Purdue Model level was Level 1, Basic Control where 15.23% of the vulnerabilities disclosed in 1H 2021 were found, followed by Level 2, Supervisory Control. This zone includes HMIs, SCADA systems, engineering workstations, and other machines that communicate directly with PLCs, RTUs, and controllers at Level 1.
Meanwhile, here's a sample of some other interesting data points from the report that paint the best picture of the ICS risk and vulnerability landscape in 1H 2021:
637: The number of ICS vulnerabilities disclosed in 1H 2021, almost 200 more than in our previous report covering 2H 2020
61.4%: The percentage of remotely exploitable ICS vulnerabilities
31.6%: The percentage of locally exploitable ICS vulnerabilities
26%: The percentage of ICS vulnerabilities that went unpatched, or for which only a partial remediation was suggested
65%: The percentage of ICS vulnerabilities likely to lead to total loss of availability
70: The number of vulnerabilities disclosed by Claroty's Team82 in 1H 2021; Claroty has surpassed 150 vulnerabilities disclosed since Team82's inception.
Download the report and spend some time looking at the trends and numbers. We'd love to hear your thoughts on the data and conclusions.
CWE-256: Plaintext Storage of a Password
In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 6.5
CWE-121: Stack-based Buffer Overflow
In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 4.3
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 7.5
CWE-319: CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.
Softing edgeConnector: Version 3.60 and Softing edgeAggregator: Version 3.60 are affected. Update Softing edgeConnector and edgeAggregator to v3.70 or greater.
CVSS v3: 8.0
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Update ASAP to version 1.35.227 or latest version provided by Unitronics.
[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]
CVSS v3: 8.8