krunja - stock.adobe.com
Industrial control systems are more internet-accessible than you might think.
The National Vulnerability Database disclosed 365 vulnerabilities that impacted the ICS products of 53 vendors in the first half of 2020. Of those disclosed, more than 70% can be remotely exploited via a network attack vector, according to the Claroty Biannual ICS Risk & Vulnerability Report released Wednesday.
"This observation reinforces the fact that fully air-gapped OT [operational technology] networks that are fully isolated from cyber threats have become exceedingly uncommon, highlighting the critical importance of protecting internet-facing ICS devices and remote access connections," the report read. "The rapid shift to a remote workforce -- and thus the increased reliance on remote access connections to OT networks -- due to the COVID-19 pandemic further underscores this point and exacerbates the associated risks."
The report noted that more than 75% of the 365 vulnerabilities reported were given at least high -- if not critical – Common Vulnerability Scoring System scores.
Devices at a particular risk of exploitation are not just those with vulnerabilities, but also those that are not configured correctly. "Devices that are connected directly to the internet and don't have a security measure, or they're misconfigured, that makes them an easy target," Claroty Vice President of Research Amir Preminger told SearchSecurity.
To protect their ICS devices connected to the internet, Preminger recommended that companies add an extra security layer -- be it a VPN or an IP access list to restrict unauthorized users from connecting to such devices.
The Claroty report also found that ICS vulnerabilities disclosed during this time period are "most prevalent in the energy, critical manufacturing, and water and wastewater sectors -- all of which are designated as critical infrastructure sectors."
When asked about how successful ICS vendors were in addressing all of these vulnerabilities, Preminger said that, while he cannot speak for all companies, he has seen "some improvement" overall. He said that there's a difference between the large vendors with effective security teams and the companies that are "quite new at addressing security issues."
"You can see the differences," he said. "I can tell you that we have seen a few companies fix an issue after two weeks, which was the shortest timeline we've ever seen, and we have seen companies that were still struggling with it after a year and a half or so."
Preminger added that, depending on the company, the way a vendor responds to being told it has ICS vulnerabilities can differ. While some are receptive, others have a difficult time getting to that point.
"Some of them have difficulty understanding. [They say,] 'OK, so you found a vulnerability. We cannot issue an advisory or a patch that's going to state that everything is exploitable.' And we're trying to tell them, 'Guys, look, the reality is that you have a vulnerability. You cannot escape it. If you're not going to address it, somebody else is going to find it in a timely manner and exploit it. So, it's not a question of if we're going to report it. It's a question of how we're going to do it in a responsible manner because that has to come out.' People have to know they have vulnerable equipment," he said.
Claroty's report also mentioned Ripple20, the series of 19 zero-day vulnerabilities that exist within the Treck TCP/IP stack. Claroty assisted cybersecurity consultancy JSOF, which discovered and disclosed the IoT vulnerabilities. In addition to IoT products, the Treck stack is used in OT and ICS devices as well.
"I think we're going to see more [vulnerabilities]. Ripple20, URGENT/11 and what we call 'third-party libraries vulnerabilities' are something that's hard to avoid. Since a lot of the industry is based on embedded software, it's going to be very common to see third-party code being used in order to cut cost. A lot of people like to use libraries, especially when you're developing embedded devices," Preminger said. "I think we're going to see more and more of those. It might not be in the basic TCP/IP stack, but it could have been easily done in the basic OT stack that might be used by other vendors."