According to the VP of research at Claroty, Amir Preminger, as more organizations are connected to the cloud due to digital transformation, they expanded the attack surface for threat actors to exploit.
Security researchers at industrial cybersecurity company Claroty said that over 637 ICS vulnerabilities were disclosed in the first half of 2021 compared to 449 vulnerabilities disclosed in the second half of 2020.
Similarly, critical manufacturing security vulnerabilities increased by 25% in 2020 from 2019 and 33% from 2018. However, vendors lagged in discovering and reporting critical infrastructure security vulnerabilities.
According to the report, most (81%) ICS vulnerabilities were disclosed by external entities like third-party companies, security researchers, academics, among others.
The increased attacks on critical infrastructure became a wake-up call for security researchers.
Preminger noted that high-profile attacks against critical infrastructure motivated security researchers to focus on ICS vulnerabilities. “The recent cyber attacks on Colonial Pipeline, JBS Foods, and the Oldsmar, Florida water treatment facility have not only shown the fragility of critical infrastructure and manufacturing environments that are exposed to the internet, but have also inspired more security researchers to focus their efforts on ICS specifically.”
Consequently, more research into ICS vulnerabilities could assist organizations to gain a deep understanding and address cyber risks facing critical infrastructure.
“Colonial Pipeline has shown America and the world that ICS security is crucial to the operations for all people,” Garret Grajek, CEO at YouAttest, said. “An attack on ICS is an attack on the country. Security levels around these components need to be at the same level as our defense systems. All best practices laid out by NIST and other cyber security frameworks need to be adhered to.”
Most ICS vulnerabilities are serious but easy to exploit
According to the report, nearly three-quarters (71%) of the reported vulnerabilities were rated high or critical on the severity scale.
Additionally, nine out of ten (90%) of the reported ICS vulnerabilities have a low attack complexity, while more than half (71%) are remotely exploitable.
Nearly two-thirds (65%) could lead to total loss of availability, resulting in denial of service, while others could lead to remote code execution.
And nearly three-quarters (74%) do not require privileges, while two-thirds (66%) do not require user interaction.
Consequently, the reported critical infrastructure vulnerabilities were low-hanging fruits for threat actors with varying expertise levels.
“I’ve seen the future of ICS, and it’s a bunch of vulnerabilities. ICS is in the same boat PCs were in 20 years ago, with many vulnerabilities that are easy to exploit, even without specialized knowledge,” says Saryu Nayyar, CEO at Gurucul. “Embedded software developers and testers have to have the same level of sophistication as enterprise software IT pros today, and they have a [long] way to go.”
Sadly, over a quarter (26%) have no remediation or have partial mitigations, leaving organizations vulnerable to attacks.
However, most attacks shared common mitigations recommended in vendor advisories and ICS-CERT alerts. Top mitigations included network segmentation that applies to 59% of ICS vulnerabilities, secure remote access (53%), and spam, phishing, and ransomware protection (33%).
“The most important mechanisms are ensuring that our enterprises are patched with the latest updates to all components and that the identities that manage these systems are reviewed to ensure that publicly accessed systems utilizing the identities are not overprivileged,” added Grajek. “If these entities are compromised and they have additional privileges – then the entire enterprise is at risk.”
Most vulnerabilities affected Level 3 of the Purdue Model like operations management (23.55%), Level 1: Basic Control (15.23%), and lastly Level 2: Supervisory Control (14.76%).
The top five impact of ICS vulnerabilities included the execution of unauthorized code or commands, denial-of-service originating from a crash, exit, or restart, bypassing of protection mechanisms, the modification of memory, and reading of application data.