New data released by Claroty’s Team82 said that industrial control system (ICS) vulnerability disclosures are drastically rising, as high-profile cyber attacks on critical infrastructure and industrial enterprises have elevated ICS security to a mainstream issue.
The Claroty report outlined a 41 percent rise in ICS vulnerabilities disclosed in the first half of this year, compared to the previous six months, which is particularly significant given that in all of 2020, they increased by 25 percent from 2019 and 33 percent from 2018.
In its third ‘Biannual ICS Risk & Vulnerability Report: 1H 2021,’ Claroty said that in the first six months of this year, 637 ICS vulnerabilities were published, affecting products sold by 76 vendors. A large percentage of those vulnerabilities were both remotely exploitable and classified as either critical or high risk. In the company’s second half report of last year, 449 vulnerabilities were disclosed, affecting 59 vendors. Over 70 percent of the vulnerabilities are classified as high or critical, about on par with the second half of last year.
The initial six months of this year was plagued with numerous cybersecurity attacks on the nation’s critical infrastructure community, including the SolarWinds supply chain attack, hack of a Florida water treatment facility, and the ransomware attack on Colonial Pipeline.
This led to various measures carried out by the U.S. government, including announcing in April a 100-day plan to modernize critical electric infrastructure using cybersecurity defenses with aggressive milestones, and releasing in July a second security directive that requires TSA-designated critical pipeline owners and operators that transport hazardous liquids and natural gas to enforce a number of urgently needed protections against cyber intrusions.
The Claroty report delivers comprehensive analysis of ICS vulnerabilities publicly disclosed in the first six months of this year, including those found by Claroty’s research team Team82, and those from various open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors, Schneider Electric and Siemens.
The report clearly shows the trend of ICS vulnerability disclosures rising significantly, throwing focus on the magnitude of security flaws that are just being discovered in operational technology (OT) environments. Claroty’s Team82 report also disclosed 70 vulnerabilities affecting 20 automation and technology vendors, surpassing 150 vulnerabilities disclosed since its inception. These numbers reinforce some of the trends identified by Team82, including the growing number of industrial assets that are now connected to the internet and potentially exposed to hackers.
Claroty’s Team82 report revealed that close to 81 percent of vulnerabilities disclosed during the first half of this year were discovered by sources external to the affected vendor, including a number of research organizations, such as third-party companies, independent researchers, and academics, among others. 42 new researchers disclosed vulnerabilities reported publicly in the first half of this year, as new researchers focused on automation vendors, and also introduced four newly affected vendors.
Siemens was identified as the affected vendor with the most reported vulnerabilities, 146, many of which were disclosed as part of internal research conducted by the Siemens CERT, Claroty’s Team82 said. Twenty vendors whose products had not been affected by ICS vulnerabilities disclosed in 2020 had at least one disclosure during the first half of this year, it added.
Another disclosure by Claroty’s Team82 report is that the largest percentage of vulnerabilities disclosed during the first six months of this year affected Level 3 of the Purdue Model with Operations Management recording about 24 percent, followed by the Level 1: Basic Control at around 15 percent, and Level 2: Supervisory Control registering close to 15 percent. Operations Management can be a critical crossover point with converged IT networks. These systems include servers and databases vital to production workflow, or those that collect data that will be fed to higher-level business systems, some of those operating in the cloud.
At the Basic Control level lie programmable logic controllers (PLCs), remote terminal units (RTUs), and other controllers that monitor Level 0 equipment such as pumps, actuators, and sensors. At the Supervisory Control level are human-machine interfaces (HMIs), SCADA (supervisory control and data acquisition) software, and other tools that monitor and act on Level 1 data, the report added.
Claroty’s Team82 identifies three key trends that are likely to drive activity for at least the next six months. These include OT cloud migration, relentless extortion and ransomware attacks targeting critical infrastructure and OT, and impending U.S. cyber legislation.
By driving enterprises to bring the cloud to industrial processes, businesses derive a number of critical benefits, including better telemetry and analysis of device performance, management of logic and remote device configuration Improved diagnostics and troubleshooting, centralized view of processes, redundancy, critical to business continuity, according to Claroty’s Team82 report. This is digital transformation personified, and when companies begin to manage OT along with IT from the cloud, that convergence will bring with it many shared risks, it added.
Attackers have become more insidious in using ransomware, scouting out victims they believe are most likely to pay high ransom demands, the report said. While municipal governments, healthcare, and education were once considered target-rich environments for ransomware attackers, large manufacturing operations and critical infrastructure are now in the crosshairs.
Claroty’s Team82 report also pointed out that the U.S. administration in July signed a National Security Memorandum for critical infrastructure that established the Industrial Control Systems Cybersecurity Initiative, a voluntary effort aimed at private-sector owners and operators to bring their systems in line with current threats. Performance goals are due from the U.S. government by September, and it is inevitable that these voluntary initiatives to deploy technology that provides visibility into OT networks and threat detection will become mandatory, it added.
“As we look forward, drafts of bills floating through Washington include stringent reporting requirements in the wake of incidents,” according to Claroty’s Team82 report. “There must be caution and patience that any of these mandates do not introduce additional risk or unrealistic expectations of under-resourced operators of smaller utilities and critical infrastructure operators. The government must balance its goals of identifying and removing threat actors from networks against harsh oversight of companies that would benefit instead from guidance and funding,” it added.