Research released by industrial cybersecurity company Dragos revealed that over 400 CVEs (Common Vulnerabilities and Exposures) consist of at least one publicly available exploit; some have multiple exploits, affecting both ICS and OT networks. This number is out of a total of more than 3000 CVEs that have been published since 2010.
Public exploits significantly lower the skill and effort needed to exploit a vulnerability. The public exploits tracked by Dragos affect every level of an industrial environment as described in the Purdue Model, providing adversaries with pre-packaged tools that are capable of infiltrating and spreading through ICS and OT networks, Dragos said in a whitepaper.
Adversarial usage of public exploits on ICS networks is not theoretical. Dragos tracks multiple Activity Groups (AG) that use public exploits. The public industrial control systems (ICS) and operational technology (OT) exploits tracked by Dragos have been developed by hundreds of individuals. They affect products developed by more than a hundred vendors.
Leveraging the knowledge of these exploits and then using the appropriate guidance will help ICS operators better determine which vulnerabilities to remediate, the Hanover, Maryland-based company added.
The ICS and OT networks are increasingly plagued by public exploits being used by malicious adversaries. Dragos activity groups such as Vanadinite, Electrum, Wassonite, Parasite use public exploits, Shodan’s ICS Radar proves ICS assets are being exposed to the internet, and GreyNoise has found malicious actors are scanning for ICS equipment.
In its whitepaper, Dragos also found the ICS/OT exploits affect more than 110 vendors. Of these, seven vendors, who have attracted nearly 40 percent of the published exploits, include Siemens, Schneider Electric, Rockwell Automation, Moxa, Microsoft, Allen-Bradley, and Advantech.
Vulnerabilities exist in every product and public exploits should be expected. Most of the vendors at the top of the affected vendors list openly publish detailed security advisories, mitigation guidelines, and impact statements. Their publications provide insights that help the security community and their customers understand the risk the vulnerabilities pose, Dragos said. It just so happens that this openness makes exploit development easier. As a defender, the takeaway should be to better engage in these vendor communications, it added.
Understanding the actual impact of ICS/OT exploits and how that might eventually affect the industrial process is crucial. While a denial of service attack in the enterprise might be an annoyance, a denial of service of a Purdue Level 1 or 2 system in the ICS network might be dangerous, Dragos said.
Public exploits for Purdue Level 3 systems are of particular interest because they sometimes serve as the initial access point into the ICS network, according to Dragos. The Level 3 device could be as simple as a RDP jump box or something more complicated like a VPN appliance. Either way, exploitation of that type of system earns an adversary broader network access into ICS and OT networks. Remote Desktop Protocol (RDP) software delivers access to a desktop or application hosted on a remote host, enabling organizations to connect, access, and control data and resources on a remote host as if it was being done locally.
Furthermore, control of the entry point could allow the adversary to indirectly affect a loss of view and loss of control on the ICS process. Of course, with broader network access, Level 2 exploits also become quite interesting as Level 2 systems act in a supervisory capacity to the industrial process, it added.
The exploitation of Level 2 systems could result in extreme failures beyond loss of view and loss of control, such as manipulation of view and manipulation of control, enabling the attacker to potentially directly affect the industrial process from a Level 2 vantage point, Dragos added.
Given the slow patch cycles within ICS networks, a public exploit is still valuable to an adversary, as the vulnerability is likely to remain unpatched for a longer period. Defenders that track which vulnerabilities have public exploits should prioritize remediation or mitigation efforts and block easy wins for the adversary, it added.