Operational technology (OT) is facing increased scrutiny from the security research community—as well as from threat actors—in a race to find and fix vulnerabilities before they're exploited, and the safety and reliability of critical systems is put to the test.
To that end, I'm excited to share that the Claroty Research Team recently concluded an in-depth analysis of industrial control system (ICS) vulnerabilities disclosed and patched during the first half of the year. The results identify some trends of note to OT security practitioners and technology providers, and provide context to the risks faced by OT networks. They were published today in the inaugural Claroty Biannual ICS Risk & Vulnerability Report.
As a member of the Claroty Research Team and primary author of this report, I recognize the considerable challenges posed by ICS vulnerabilities and am proud to have supported research that aims to further illuminate these challenges and their implications for practitioners, vendors, and other researchers.
"There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible," said Amir Preminger, VP of Research at Claroty, who also contributed to the report.
The dataset making up our research included the 365 vulnerabilities in ICS products sold by 53 vendors published during the first half of the year by the National Vulnerability Database (NVD). We also examined 139 advisories published by the Industrial Control System Computer Emergency Response Team (ICS-CERT). More than 70% of those flaws are exploitable remotely over the network, reinforcing the notion that air-gapped OT networks are uncommon and these networks are no longer isolated from cybersecurity threats.
Compounding the risk posed by remotely exploitable vulnerabilities is the rapidly rising number of remote workers. OT operators have not been spared this phenomenon during the COVID-19 pandemic, and are connecting remotely to ICS networks at an unprecedented rate. This dynamic, in parallel with the rise in remotely exploitable bugs, should enhance the focus on OT vulnerabilities.
Our team this year, meanwhile, has disclosed 26 vulnerabilities that have been patched by vendors, largely those with massive install bases and that are important providers within industrial operations. Security flaws in engineering workstations and programmable logic controllers (PLCs) make up the majority of vulnerable product types that we discovered. Not only are engineering workstations and PLCs critical to industrial operations, but they are also appealing targets for adversaries.
Engineering workstations, for example, often connect to IT networks, and a successful exploit against vulnerable workstations give attackers an initial network foothold. PLCs, meanwhile, largely control physical processes within OT networks, and attacks against those units can affect the reliability of plant processes, for example.
Among the 26 vulnerabilities found by Claroty, more than 60% enable remote code execution against OT networks. Others allow for denial-of-service attacks, or power-over-ethernet attacks.
In all, there was a 10.3% year-over-year increase in vulnerabilities published by the NVD during the first half of the year compared to 2019; three-quarters of these vulnerabilities were assigned critical or high-severity ratings. There was also a 32.4% increase in the number of ICS-CERT advisories published so far this year compared to last year; third-party researchers accounted for more than 71% of ICS-CERT advisories attesting to their critical role in vetting ICS device security.
Today's report also enumerates the ICS vendors and products mentioned in NVD and ICS-CERT advisories, and breaks them down by critical industry and the impact of the respective vulnerabilities on each industry.
Claroty's Chief Product Officer, Grant Geyer, will also be providing a deeper look at the report's findings during a live webinar and Q&A session on August 27th. Register Here.
CWE-284: Improper access control
A network-adjacent authenticated attacker may perform unintended operations
CVSS v3: 5.5
CWE-321: Use of hard-coded cryptographic key
A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files
CVSS v3: 5.4
CWE-522: Insufficiently protected credentials
A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book
CVSS v3: 6.5
CWE-78: OS command injection
A network-adjacent authenticated attacker may execute an arbitrary OS command with root privileges by sending a specially crafted request
CVSS v3: 8.0
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.
Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication.
Elvaco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of M-Bus Metering Gateway CMe3100 are invited to contact Elvaco customer support for additional information.
CVSS v3: 7.5