Industrial control systems (ICS) play an essential role in keeping the country moving by managing software and hardware in critical national infrastructure (CNI) sectors, including energy and water, as well as critical manufacturing areas such as pharmaceutical and automotive.
ICS is an umbrella term that covers several different kinds of systems and devices, including supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs), and engineering workstations (EWS). These systems face a continual threat of attack from nation-state actors, corporate espionage, and more well-resourced and ambitious criminals. Not only are they under threat, but the risk is growing.
How big is the threat?
The biggest threat to these systems comes from unpatched software vulnerabilities, and the difficulties operational technology domains have in remediating these critical security issues. Claroty’s research into ICS vulnerabilities, reported in our Biannual ICS Risk & Vulnerability Report: 1H 2020, uncovered worrisome year-over-year growth in the number of OT and ICS flaws reported by The National Vulnerability Database (NVD) and in vulnerability advisories published by the Industrial Control System Cyber Emergency Response Team (ICS-CERT).
NVD, for example, reported 365 ICS vulnerabilities in the first half of 2020—26 of which were found by the Claroty research team—while ICS-CERT published 139 advisories in the same period. NVD’s number of vulnerabilities is 10.3% higher than in the first half of 2019, while ICS-CERT’s number of advisories grew 32.4% year-over-year.
More than 75% of vulnerabilities reported in the first half of 2020 were assigned high or critical Common Vulnerability Scoring System (CVSS) scores, meaning they pose a significant security risk. The energy, critical manufacturing, and water and wastewater infrastructure sectors are the most at risk, with water and wastewater seeing a particularly steep 122% increase in new vulnerabilities across the NVD and ICS-CERT reports.
Where are the most common vulnerabilities?
Claroty researchers specifically focused on investigating EWS and PLCs, because these product types play a particularly crucial role in industrial operations, making them an obvious target for threat actors.
EWS are one of the primary control points for personnel to interact with the OT network. As such, they also usually have some level of connectivity to the IT network, as well as access to the shop floor and the PLCs controlling physical processes. Having IT connectivity makes an EWS an accessible target that can provide an initial foothold and a launch point for a threat actor to access the OT network.
In all, more than half of the vulnerabilities we discovered and privately disclosed were in EWS products, followed by roughly a quarter affecting PLCs. The rest of the threats involved SCADA systems, with a small percentage involving routers.
The majority of these vulnerabilities would enable an attacker to establish some form of remote code execution (RCE), allowing them to remotely send commands to establish permanence and facilitate lateral movement. Approximately a third of the vulnerabilities could also be used to launch denial-of-service (DoS) attacks to overload and disable the network.
The rising remote risk
One of the most worrying trends this year is the high prevalence of ICS vulnerabilities that can be exploited remotely via a network attack vector. In previous years, OT systems were commonly air-gapped, with the lack of connectivity to the organization’s standard IT network removing them from the possibility of remote threats.
However, more than 70% of the 365 ICS vulnerabilities published by the NVD can be exploited remotely, demonstrating that it is now rare for ICS networks to be fully air-gapped as more organizations integrate and automate their OT systems.
Remote connectivity has become particularly important this year, because organizations have been forced to rapidly shift to a remote workforce during the COVID-19 pandemic. Engineers, for example, would require remote access to manage and update field devices they would normally visit in person.
An increasing number of ICS vulnerabilities are also exploitable via local attack vectors. These will primarily involve the organization’s personnel being targeting with social engineering attacks such as phishing.
Best practices for protecting ICS
Protecting ICS from cyber-attacks requires a multi-tier strategy to address threats to different aspects of the network. The prevalence of new remotely executable vulnerabilities should put a priority on protecting remote access connections – particularly as remote workforces grow during the COVID-19. Organizations should verify the use of updated virtual private networks (VPNs), and mandate multi-factor authentication and granular user access permissions.
Organizations should also be mindful of social engineering tactics targeting their personnel. All employees should be educated in best practices such as good password hygiene and caution around emails received from unknown sources.
Finally, all internet-facing ICS devices must be protected with multiple measures including complicated passwords, encryption, and granular role- and policy-based access controls to provide precise management of how assets are accessed.
Other OT security best practices such as continuous threat monitoring and network segmentation are also important factors. EWS should be the main priority and firms should be aware that multiple legitimate internet scanning services such as Shodan.io and Cenys.io can be used by threat actors to locate internet-connected systems.
The importance of disclosing vulnerabilities
Alongside looking inwardly at their security, organizations should also consider the business sector and industrial operations at large. Organizations, ICS vendors and security companies should always endeavor to disclose any ICS vulnerabilities they discover.
While there has often been reluctance to do this for competitive or reputational reasons, sharing this intelligence can only be a good thing. The more awareness there is of ICS vulnerabilities, the more difficult things will be for threat actors, and the safer crucial operations such as CNI will be.