Team82 Blog / 3 min read
Operational technology (OT) is facing increased scrutiny from the security research community—as well as from threat actors—in a race to find and fix vulnerabilities before they're exploited, and the safety and reliability of critical systems is put to the test.
To that end, I'm excited to share that the Claroty Research Team recently concluded an in-depth analysis of industrial control system (ICS) vulnerabilities disclosed and patched during the first half of the year. The results identify some trends of note to OT security practitioners and technology providers, and provide context to the risks faced by OT networks. They were published today in the inaugural Claroty Biannual ICS Risk & Vulnerability Report.
As a member of the Claroty Research Team and primary author of this report, I recognize the considerable challenges posed by ICS vulnerabilities and am proud to have supported research that aims to further illuminate these challenges and their implications for practitioners, vendors, and other researchers.
"There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible," said Amir Preminger, VP of Research at Claroty, who also contributed to the report.
The dataset making up our research included the 365 vulnerabilities in ICS products sold by 53 vendors published during the first half of the year by the National Vulnerability Database (NVD). We also examined 139 advisories published by the Industrial Control System Computer Emergency Response Team (ICS-CERT). More than 70% of those flaws are exploitable remotely over the network, reinforcing the notion that air-gapped OT networks are uncommon and these networks are no longer isolated from cybersecurity threats.
Compounding the risk posed by remotely exploitable vulnerabilities is the rapidly rising number of remote workers. OT operators have not been spared this phenomenon during the COVID-19 pandemic, and are connecting remotely to ICS networks at an unprecedented rate. This dynamic, in parallel with the rise in remotely exploitable bugs, should enhance the focus on OT vulnerabilities.
Our team this year, meanwhile, has disclosed 26 vulnerabilities that have been patched by vendors, largely those with massive install bases and that are important providers within industrial operations. Security flaws in engineering workstations and programmable logic controllers (PLCs) make up the majority of vulnerable product types that we discovered. Not only are engineering workstations and PLCs critical to industrial operations, but they are also appealing targets for adversaries.
Engineering workstations, for example, often connect to IT networks, and a successful exploit against vulnerable workstations give attackers an initial network foothold. PLCs, meanwhile, largely control physical processes within OT networks, and attacks against those units can affect the reliability of plant processes, for example.
Among the 26 vulnerabilities found by Claroty, more than 60% enable remote code execution against OT networks. Others allow for denial-of-service attacks, or power-over-ethernet attacks.
In all, there was a 10.3% year-over-year increase in vulnerabilities published by the NVD during the first half of the year compared to 2019; three-quarters of these vulnerabilities were assigned critical or high-severity ratings. There was also a 32.4% increase in the number of ICS-CERT advisories published so far this year compared to last year; third-party researchers accounted for more than 71% of ICS-CERT advisories attesting to their critical role in vetting ICS device security.
Today's report also enumerates the ICS vendors and products mentioned in NVD and ICS-CERT advisories, and breaks them down by critical industry and the impact of the respective vulnerabilities on each industry.
Claroty's Chief Product Officer, Grant Geyer, will also be providing a deeper look at the report's findings during a live webinar and Q&A session on August 27th. Register Here.
CWE-749 Exposed Dangerous Method or Function
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
CWE-288: Authentication Bypass Using an Alternative Path or Channel
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
The vulnerability is caused by the using deprecated deserialization functions and/or classes such as BinaryFormatter in the zenon internal graphic utility DLLs.
CVSS V3: 6.3
The vulnerability is caused by the default directory permissions for the Zenon Projects directory in the engineering studio default workspace. By allowing access to all the users on the system, the attacker may alter the zenon project itself to load arbitrary zenon projects in the zenon runtime.
CVSS V3: 5.9
Code Execution through overwriting service executable in utilities directory. The vulnerability is caused by the weakly configured default directory permission for the ABB Utilities directory.
CVSS V3: 7.0