Industrial control systems vulnerabilities rise as operational tech increasingly goes online

Claroty said 25% more vulnerabilities were reported in 2020 than in 2019, 70% of which had high or critical CVSS scores.

istock-896976570.jpg

pugun-photo, Getty Images/iStockphoto

Industrial cybersecurity company, Claroty, has released its biannual industrial control systems (ICS) risk and vulnerability report, which found that the number of reported vulnerabilities increased by 25% when compared to 2019, with critical infrastructure areas like manufacturing, energy, water, and commercial facilities being most affected.

More about cybersecurity

The flaws themselves aren’t low risk, either: 75% of the vulnerabilities reported in the first half of 2020 had high or critical CVSS scores, and in the second half of 2020, 70% ranked the same. To make matters worse, 71.5% of reported vulnerabilities were remotely exploitable, 90% require no special conditions to trigger, 76% can be executed without authentication, and 78% require zero user interaction. 

Claroty only reported specific numbers for the second half of 2020, in which 449 vulnerabilities were reported in software from 59 different vendors, with far more affecting the critical manufacturing and energy sectors, with 194 and 186 vulnerabilities, respectively.

SEE: Incident response policy (TechRepublic Premium) 

“Year-over-year, the chart below shows continuing growth in vulnerabilities disclosed in critical infrastructure sectors, almost uniformly across the board in all but a few sectors,” Claroty said in its report. 

One of the most important factors in the severity of vulnerabilities found in ICS is their simplicity: As mentioned above, 90% of vulnerabilities discovered in the second half of 2020 require no special conditions to trigger. In CVSS terms, that means the attack is considered “low complexity,” meaning there are no factors beyond an attacker’s control that must exist for the vulnerability to be exploited. 

“The top five most prevalent Common Weakness Enumerations (CWEs) are all ranked highly on The MITRE Corporation’s 2020 CWE Top 25 Most Dangerous Software Errors list due to their relative ease of exploitation and ability to enable adversaries to inflict serious damage,” the report said. The CWEs in question include:

  • Out-of-bounds write, which can corrupt data, execute code, or trigger a DoS;
  • out-of-bounds read, which can allow an attacker to read memory and bypass security systems;
  • cross-site scripting;
  • improper authentication, meaning software isn’t requiring proof of user identity to access systems; and
  • information exposure, meaning sensitive data is exposed to users that shouldn’t have access.

Risks to ICS have been a known problem for some time, and as Claroty reported in its mid-2020 report of the same name, remote work, thanks to COVID-19 lockdowns, is only making the potential for attacks worse. Add in the convergence of IT and OT networks thanks to pandemic and non-pandemic digital transformation efforts and the attack surfaces of ICS systems grows even larger, said VP of research at Claroty, Amir Preminger. 

SEE: 5 Internet of Things (IoT) innovations (free PDF) (TechRepublic)

Rather than seeing rising numbers of reported vulnerabilities as a bad thing, Preminger said, it shows that people are starting to take infrastructure security risks seriously. “It is heartening to see a growing interest in ICS within the security research community, as we must shine a brighter light on these vulnerabilities in order to keep threats at arm’s length,” Preminger said. 

Also see