Industrial systems are increasingly targeted by ransomware, and attacks on critical infrastructure — like the Colonial Pipeline — show just how high the stakes are. Now a new report, released today by Team82 from industrial security company Claroty, shows a sharp acceleration in vulnerability disclosures for industrial control systems (ICS). Many are of “high” or “critical” risk, and the vast majority have low attack complexity, meaning they don’t require special conditions and are easily repeatable.
According to the research, 637 ICS vulnerabilities were disclosed in the first half of 2021, a 41% increase compared to the second half of 2020. For comparison, the overall increase between 2019 and 2020 was just 25%.
The vulnerabilities disclosed affect various levels of the Purdue Model, including operations management (23.55%); supervisory control (14.76%); and basic control (15.23%), which monitors equipment such as sensors, pumps, actuators, and more.
“The most significant finding was the rise in vulnerabilities that may lead to remote code execution disclosed in [basic controls],” Claroty security researcher Chen Fradkin told VentureBeat. The report states that 61% of the vulnerabilities detected are remotely exploitable, underlining the importance of securing IoT and IIoT devices.
Fradkin added that an increase in researchers looking for vulnerabilities plays a role in the uptick but that because these vulnerabilities have existed all along, they’ve also long been exposed to threat actors.
More on the findings
Of the vulnerabilities discovered, 71% are classified as “high” or “critical” risk, according to the research. The report also says 65% may cause total loss of availability, resulting in denial of access to resources. Even more concerning, 26% have either no available fix or only a partial remediation, highlighting a key challenge of securing OT environments compared to IT environments.
What’s more, the bar for these attacks isn’t necessarily high. A whopping 90% of vulnerabilities were found to have a low attack complexity, and 74% do not require privileges. Additionally, 66% do not even require user interaction, such as clicking a link or sharing sensitive information.
“Assets are exposed online in record numbers, and along with them, all their blemishes: unpatched vulnerabilities, unsecured credentials, weak configurations, and the use of outdated industrial protocols,” the report reads.
Fradkin says any enterprise with industrial operations — including critical infrastructure — that’s using the affected products is at risk. This likely includes those in electric utilities, oil and gas, food and beverage, water utilities, automotive production, pharmaceuticals, and many others. Siemens was the affected vendor with the most reported vulnerabilities, followed by Schneider Electric, Rockwell Automation, WAGO, and Advantech.
As enterprises modernize and connect to the cloud, more vulnerabilities and attacks are likely. And while cyberattacks are on the rise overall, the nature of industrial control technology is playing a role.
“These products have extensive shelf lives, and updating them can be challenging without introducing downtime, which is unacceptable in many critical industries,” Fradkin said. She added that Team82 saw more vulnerabilities reported with mitigation or patch responses taking longer than 90 days. “This means that in the case of ICS vulnerability management, longer timelines may be required because of the complexity of devices, environments, and update schedules.”
Securing the enterprise
Citing the top mitigation steps noted in ICS-CERT, Fradkin recommends enterprises focus on network segmentation, secure remote access, and protection against ransomware, phishing, and spam.
The report further suggests organizations evaluate risks — including a lack of protocol support for encryption and authentication. As more data makes its way into industrial systems (and everywhere else), it’s essential that data remain encrypted at all times, both in transit and while at rest. “This will be especially evident as companies begin to put services and applications such as Historian databases in the cloud, receiving data from [basic control] devices such as programmable logic controllers,” the report states.
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more