As more chief information security officers (CISOs) become responsible for the safety of industrial networks under the umbrella of IT/OT convergence and digital transformation, it's crucial to have a clear, current picture of risk to industrial control systems (ICS).
One logical place to start is with software and hardware/firmware vulnerabilities. Weaknesses in any component of an ICS device or communication protocol underpinning an operational technology (OT) network are beacons to threat actors. Criminals and nation-state actors are relentless in their pursuit of profit or intelligence, and they're intensifying their aim on industrial networks. While there wasn't a Triton-style attack in 2020, we did see the inclusion of industrial processes in the SNAKE ransomware kill list, and the SolarWinds supply-chain attack demonstrated how vulnerable the extended perimeter can be to an enterprise.
Today, Claroty has released its second Biannual ICS Risk & Vulnerability Report. This report covers the second half of last year, shedding light not only the number and severity of industrial cybersecurity vulnerabilities disclosed during 2H 2020, but also on emerging trends affecting how security decision makers will tactically and strategically manage risk.
This report is an important resource for CISOs, IT, and OT managers, as it represents a comprehensive examination of ICS vulnerabilities, exposing where bugs have been found and fixed, who is finding them, and what it means for industrial companies moving forward.
"The accelerated convergence of IT and OT networks due to digital transformation enhances the efficiency of ICS processes, but also increases the attack surface available to adversaries," said Amir Preminger, vice president of research at Claroty, who also contributed to this report.
"Nation-state actors are clearly looking at many aspects of the network perimeter to exploit, and cybercriminals are also focusing specifically on ICS processes, which emphasizes the need for security technologies such as network-based detection and secure remote access in industrial environments," Preminger added. "It is heartening to see a growing interest in ICS within the security research community, as we must shine a brighter light on these vulnerabilities in order to keep threats at arm's length."
The ICS research community is growing, an indication of not only a maturing practice, but of the urgent need for response from companies. For example, vendors and industrial organizations must be ready to accept and act upon bug reports because they're not going to abate. We recorded 449 vulnerabilities that were disclosed and fixed during the second half of last year alone. Coupled with the 365 we reported for the 1H 2020, and we're closing in on nearly 1,000 annual vulnerabilities, a threshold we're likely to eclipse this year.
This is going to be a crucial step toward locking down OT networks, which are going to continue to fall under the management of IT organizations. Convergence and digital transformation are expanding the attack surfaces IT security teams are responsible for overseeing, and decision-makers will need to understand their risk posture and how technologies such as network-based detection and secure remote access solutions specifically built for OT will be mandated.
Right now, many of the vulnerabilities that were disclosed in 2H 2020 were confined to leading vendors such as Schneider Electric, Siemens, and Mitsubishi. They have an abundance of equipment running inside industrial companies available for analysis, and because they're market leaders, will receive an abundance of attention from researchers and black hats alike.
It's not too dissimilar from the early days of the maturation of IT security, when Microsoft was under constant pressure from customers and security companies to lock down its products and install a secure development lifecycle. Windows was—and is—the desktop operating system leader, and with that came relentless attacks from threat actors and discovery after discovery of vulnerabilities by researchers, resulting ultimately in the Trustworthy Computing initiative and regular patch cycles. Other tech giants, such as Oracle and Apple, soon followed that model and instituted their own regular cycle for security updates.
We urge you to download this invaluable report today and share it with the leadership, engineering, and operations teams in your organization. We added new data sources in the 2H 2020 report; those now include ICS-CERT, the National Vulnerability Database (NVD), MITRE, CERT@VDE, and Claroty's vendor partners Schneider Electric and Siemens.
The Claroty Research Team has established itself as a leader among security companies reporting vulnerabilities; in 2H 2020 alone, we disclosed 41 vulnerabilities affecting 14 vendors. That brings us to more than 70 vulnerabilities disclosed as an organization.
Here's a sample of some other data points from the 2H 2020 report:
72% of disclosed vulnerabilities are remotely exploitable.
47% of vulnerabilities affect Levels 1 and 2 of the Purdue Model.
76% of vulnerabilities do not require authentication for exploitation.
Vulnerabilities in ICS products disclosed during 2H 2020 are most prevalent in the critical manufacturing, energy, water and wastewater, and commercial facilities sectors—all of which are designated as critical infrastructure sectors.
78.17% of vulnerabilities do not require user interaction.
78.92% of the vulnerabilities that don't require user interaction are remotely exploitable.
80.95% of the Supervisory Control vulnerabilities require user interaction if exploiting locally.
65.7% of the vulnerabilities can cause total loss of availability.
The report also enumerates the most widely affected vendors and critical infrastructure sectors, the emergence of new researchers and organizations looking for vulnerabilities, and the most common CWEs manifesting in ICS vulnerabilities.
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
CWE-121 STACK-BASED BUFFER OVERFLOW:
The affected product is vulnerable to a stack-based buffer overflow. An unauthenticated attacker could send a malicious HTTP request that the webserver fails to properly check input size before copying data to the stack, potentially allowing remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor:
Ruijie Reyee OS versions prior to 2.260.0.1329 contains a a feature that could enable sub accounts
or attackers attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services.
CVSS v3: 6.5
CWE-1391 Use of Weak Credentials:
Ruijie Reyee OS versions prior to 2.260.0.1329 uses weak credential mechanism that could allow
an attacker to easily calculate MQTT credentials.
Ruijie reports that the issues have been fixed on the cloud and no action is needed by end users.
CVSS v3: 7.5