As more chief information security officers (CISOs) become responsible for the safety of industrial networks under the umbrella of IT/OT convergence and digital transformation, it's crucial to have a clear, current picture of risk to industrial control systems (ICS).
One logical place to start is with software and hardware/firmware vulnerabilities. Weaknesses in any component of an ICS device or communication protocol underpinning an operational technology (OT) network are beacons to threat actors. Criminals and nation-state actors are relentless in their pursuit of profit or intelligence, and they're intensifying their aim on industrial networks. While there wasn't a Triton-style attack in 2020, we did see the inclusion of industrial processes in the SNAKE ransomware kill list, and the SolarWinds supply-chain attack demonstrated how vulnerable the extended perimeter can be to an enterprise.
Today, Claroty has released its second Biannual ICS Risk & Vulnerability Report. This report covers the second half of last year, shedding light not only the number and severity of industrial cybersecurity vulnerabilities disclosed during 2H 2020, but also on emerging trends affecting how security decision makers will tactically and strategically manage risk.
This report is an important resource for CISOs, IT, and OT managers, as it represents a comprehensive examination of ICS vulnerabilities, exposing where bugs have been found and fixed, who is finding them, and what it means for industrial companies moving forward.
"The accelerated convergence of IT and OT networks due to digital transformation enhances the efficiency of ICS processes, but also increases the attack surface available to adversaries," said Amir Preminger, vice president of research at Claroty, who also contributed to this report.
"Nation-state actors are clearly looking at many aspects of the network perimeter to exploit, and cybercriminals are also focusing specifically on ICS processes, which emphasizes the need for security technologies such as network-based detection and secure remote access in industrial environments," Preminger added. "It is heartening to see a growing interest in ICS within the security research community, as we must shine a brighter light on these vulnerabilities in order to keep threats at arm's length."
The ICS research community is growing, an indication of not only a maturing practice, but of the urgent need for response from companies. For example, vendors and industrial organizations must be ready to accept and act upon bug reports because they're not going to abate. We recorded 449 vulnerabilities that were disclosed and fixed during the second half of last year alone. Coupled with the 365 we reported for the 1H 2020, and we're closing in on nearly 1,000 annual vulnerabilities, a threshold we're likely to eclipse this year.
This is going to be a crucial step toward locking down OT networks, which are going to continue to fall under the management of IT organizations. Convergence and digital transformation are expanding the attack surfaces IT security teams are responsible for overseeing, and decision-makers will need to understand their risk posture and how technologies such as network-based detection and secure remote access solutions specifically built for OT will be mandated.
Right now, many of the vulnerabilities that were disclosed in 2H 2020 were confined to leading vendors such as Schneider Electric, Siemens, and Mitsubishi. They have an abundance of equipment running inside industrial companies available for analysis, and because they're market leaders, will receive an abundance of attention from researchers and black hats alike.
It's not too dissimilar from the early days of the maturation of IT security, when Microsoft was under constant pressure from customers and security companies to lock down its products and install a secure development lifecycle. Windows was—and is—the desktop operating system leader, and with that came relentless attacks from threat actors and discovery after discovery of vulnerabilities by researchers, resulting ultimately in the Trustworthy Computing initiative and regular patch cycles. Other tech giants, such as Oracle and Apple, soon followed that model and instituted their own regular cycle for security updates.
We urge you to download this invaluable report today and share it with the leadership, engineering, and operations teams in your organization. We added new data sources in the 2H 2020 report; those now include ICS-CERT, the National Vulnerability Database (NVD), MITRE, CERT@VDE, and Claroty's vendor partners Schneider Electric and Siemens.
The Claroty Research Team has established itself as a leader among security companies reporting vulnerabilities; in 2H 2020 alone, we disclosed 41 vulnerabilities affecting 14 vendors. That brings us to more than 70 vulnerabilities disclosed as an organization.
Here's a sample of some other data points from the 2H 2020 report:
72% of disclosed vulnerabilities are remotely exploitable.
47% of vulnerabilities affect Levels 1 and 2 of the Purdue Model.
76% of vulnerabilities do not require authentication for exploitation.
Vulnerabilities in ICS products disclosed during 2H 2020 are most prevalent in the critical manufacturing, energy, water and wastewater, and commercial facilities sectors—all of which are designated as critical infrastructure sectors.
78.17% of vulnerabilities do not require user interaction.
78.92% of the vulnerabilities that don't require user interaction are remotely exploitable.
80.95% of the Supervisory Control vulnerabilities require user interaction if exploiting locally.
65.7% of the vulnerabilities can cause total loss of availability.
The report also enumerates the most widely affected vendors and critical infrastructure sectors, the emergence of new researchers and organizations looking for vulnerabilities, and the most common CWEs manifesting in ICS vulnerabilities.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
