Dragos reports unprecedented surge in OT vulnerabilities, signals need for improved cybersecurity measures

New research data from industrial cybersecurity firm Dragos disclosed that OT (operational technology) vulnerabilities have accumulated at an unprecedented rate, akin to the rapid pile-up of unread emails in an inbox over the past year. Additionally, the company has independently evaluated, rectified, and enhanced the details of 2,010 vulnerabilities affecting industrial systems in 2023. 

Utilizing the Dragos Platform, the analysis facilitates the classification of OT vulnerabilities into three categories – NOW, NEXT, and NEVER. Remarkably, only 3 percent of these vulnerabilities were deemed urgent and required immediate action (NOW), suggesting that the majority can be managed through alternative strategies, such as continuous monitoring and the implementation of multi-factor authentication (MFA).

“I like pointing at the vulnerabilities because I would say the first thing that an it person does when they walk into an OT network is go, oh my gosh, it’s so vulnerable. We got to fix these vulnerabilities,” Robert M. Lee, co-founder and CEO of Dragos, said at an exclusive briefing last week. “And that’s not necessarily the case. There’s a lot of vulnerabilities that are just useless, but there are some that we want to pay attention to. So we saw an increase in the number of ICS vulnerabilities, which makes sense, but we do want to pay attention to some of these. The problem is, the state of the union of the vulnerabilities is still pretty bad.” 

As an example, Lee cited that 29 percent of all of the ICS or OT-specific vulnerabilities this past year had incorrect data. “Wrong hardware, wrong software, wrong version, wrong mitigation, wrong criticality.”

The data from Dragos’ 2023 OT Cybersecurity Year in Review highlights the crossroads of unprecedented challenges and unparalleled opportunities. The past year was marked by geopolitical strife that heavily influenced the OT threat landscape, affecting industrial sectors worldwide. Ransomware attacks not only increased in frequency but also their impact on businesses, while the accumulation of vulnerabilities in industrial systems highlighted critical areas of concern. 

Although there have been strides towards improvement in certain sectors, punctuated by notable successes in OT cybersecurity, the journey is far from complete. The urgency to fortify OT against the rising tide of cyber threats has never been more critical. The path forward is clear, and the time is now. 

The Dragos report also highlighted the difference between IT and OT environments is pronounced when assessing vulnerabilities. “The type of devices, systems, and protocols used within OT environments, the network architecture of typical OT networks, and the impact vulnerabilities can have on normal operations and the physical world drive these differences.” 

OT vulnerabilities should be mitigated and addressed differently than IT vulnerabilities based on the strict operational requirements of OT systems (e.g., system uptime and vendor qualification processes). Many vulnerability management programs focus their remediation on ‘Critical’ vulnerabilities with a CVSS of 9.0 or higher. That is, programs specify that these vulnerabilities should be mitigated with urgency. 

Dragos outlined three problems with this approach. Researchers often have no input to the final copy of a public advisory and Common Vulnerability Scoring System (CVSS) scores may be inaccurate. The reliance on industrial OEMs, which differ in maturity levels, makes it difficult for the industrial community to have consistent scoring and severity guidance. Because of this, the vulnerability advisories issued by the vendors and other CVE Numbering Authorities (CNA) are often incorrect and vague. 

Then, the CVSS does not account for typical OT network architecture. Network-exploitable vulnerabilities are often given a critical score even when the service is not immediately exploitable in a well-architected network. Lastly, advisories often lack practical steps besides ‘apply the patch.’ Patching OT software, especially firmware, may be difficult or impossible for many organizations. Occasionally, advisories are even released with no patch and no other mitigation advice, making them useless documents for defenders.

Dragos outlined that patching every vulnerability is difficult in OT environments and may not improve OT network security. Patching unnecessarily may bring its own risk – unsuccessful patch applications may cause unwanted downtime. In addition, many OT devices and software have ‘forever-day’ vulnerabilities and are insecure by design. This means patching a system to close a vulnerability may do nothing to improve the security of affected components, as underlying design flaws are still present. 

It added that a far better approach is to focus remediation and mitigation on items that positively impact the overall hygiene of the industrial process. Addressing vulnerabilities generally means deploying updates or applying security controls that do not already exist. Patching within an OT environment must be done in a way that ensures that normal, safe operations are maintained. Often, this results in patches being delayed until a maintenance window. 

“In 2023, 72 percent of the advisories Dragos analyzed came with a patch, but 54 percent of those advisories with a patch contained no mitigation advice. This is a +1 percent change from last year for patches and +1 percent change for mitigation advice,” the report detailed. “Dragos provided mitigations for the 49 percent of the advisories that had no mitigations from any other source. Advisories with no patch when announced, accounted for 28 percent of all advisories in 2023, and roughly 19 percent of those without a patch had no mitigation at all. This leaves OT network defenders without many options when often some of the simplest changes in behavior and tooling can have the most significant impact.”

Loss of control and loss of view of the industrial process are among the worst scenarios in an ICS environment, Dragos addressed. “The ability of operations to safely and reliably operate a system depends on an accurate view and control of the industrial process. Dragos investigates the possible impact of vulnerabilities to help organizations focus on the most impactful ones.” 

In 2023, 53 percent of the advisories Dragos analyzed vulnerabilities that could cause both a loss of view and control of the process through a vulnerable OT system. This was a shift of +3 percent from 2022. A full 46 percent of all the vulnerabilities have no ability to impact the control or visibility of the industrial process. Of these vulnerabilities, 1 percent could only cause loss of view without impacting loss of control. 

There are different threat profiles for vulnerable assets deep within the ICS network than those at the enterprise’s border. A PLC protected by a firewall is less at risk than one directly on the internet. When prioritizing vulnerability mitigation, organizations should consider the network landscape and where vulnerable systems reside in their architecture. 

Dragos provides expected Purdue levels per advisory assessment based on common placement in a well-designed environment. In a well-designed network, adversaries must compromise multiple layers before impacting industrial processes. This attack path includes gaining initial access to enterprise networks before pivoting to OT networks to compromise systems deep within the ICS network. This makes the opportunity to exploit vulnerabilities deep within the network more challenging. 

In 2023, 19 percent of these vulnerabilities were remote access vulnerabilities bordering the enterprise, while 80 percent resided deep within the ICS network. 62 percent pertains to vulnerabilities found at levels 0 to 3 of the Purdue Model, which should have restricted access, among other hardening configurations. This includes restricting access to engineering workstations, PLCs, and sensors, which can impact the industrial process.

Dragos is continually looking for evidence of exploitation in the wild. Asset owners with vulnerable assets actively being exploited in the wild by adversaries or proven through a penetration test have an increased urgency to mitigate. Because of this, exploitation is factored into the Now, Next, Never prioritization. In 2023, 5 percent of advisories included vulnerabilities being actively exploited. Recall that only 3 percent of all advisories are given Now priority for remediation – active campaigns make up the bulk of the highest priority remediations.

Dragos’ annual OT Cybersecurity report highlights a significant increase in cyber threats and disruptions to critical infrastructure worldwide, linked to rising global tensions. It points out the emergence of new threat groups like Voltzite and notes a 28 percent increase in active ransomware groups targeting industrial organizations in 2023, with 905 incidents reported—a 49.5 percent rise from 2022. 

The report emphasizes the high stakes for industrial organizations due to potential financial and reputational damages, along with impacts on downstream businesses. It also mentions the growing capabilities of state-sponsored and hacktivist groups in targeting operational technology systems.

Dragos also disclosed that in 2023 it saw major regulatory shifts for critical infrastructure asset owners, resulting in organizations devoting more time and resources to preparing for a cybersecurity event. This included updates for U.S. pipeline operators in North America with TSA Pipeline-2021-02D (SD-02D). In Europe, it was the Network and Information Systems Directive (NIS2); in Australia, the Security of Critical Infrastructure SOCI Act; and, the Essential Cybersecurity Controls (ECC) ECC in the Kingdom of Saudi Arabia. 

A notable shift in regulatory focus, impacting not just critical infrastructure but also U.S. publicly traded companies, involves the introduction of the Securities and Exchange Commission (SEC) cybersecurity risk management rules. These regulations extend to a broad range of OT asset owners, encompassing investor-owned utilities and manufacturing companies.

Dragos observed organizations growing their cybersecurity capabilities, defining or refining processes, and exercising plans. Organizations leading in this area are shifting from a reactive mindset that leverages break-glass retainers to a holistic approach for an incident response that includes multiple levels within organizations supported by detection capabilities, training, and external experts.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.