Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/19/2020
02:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

ICS Vulnerability Reports Rapidly Rise

More scrutiny of products for industrial control systems is expected to expose even more weaknesses in devices that run critical infrastructure.

It started in January with an industrial control systems (ICS) hacking contest in Miami amid a sudden cold front that literally paralyzed and felled some of the city's tree-clinging iguana population. Inside a room adjacent to the lobby of South Beach's historic Fillmore theatre and safe from the elements (and falling lizards), security researchers hacked SCADA gateways, control servers, human-machine interfaces (HMIs), an engineering workstation, and other ICS software in the first-ever ICS Pwn2Own contest.

That the 25 ICS product entries were successfully hacked came as no big surprise since many ICSs, especially products from newcomer vendors, notoriously lack security features and contain insecure software. The event, run by Trend Micro's Zero-Day Initiative (ZDI) as part of the annual S4x20 ICS conference, had been expected to open the floodgates for more researcher scrutiny of ICS products - and new data published today shows that's exactly what ensued.

Related Content

Hacking the PLC via its Engineering Software

Aftermath of a Major ICS Hacking Contest

In the first half of 2020, there were 10.3% more ICS vulnerabilities reported in the National Vulnerability Database (NVD) and an increase of 32.4% of ICS-CERT advisories for vulns compared with one year earlier. More than 75% of the ICS flaws reported this year were rated high or critical, according to a report from ICS security firm Claroty. More than 70% of ICS flaws reported in the first half of 2020 are remotely exploitable, 365 ICS flaws landed in the NVD, and 139 advisories came via ICS-CERT, the data shows.

This is just the tip of the iceberg now that more researchers are training their hacking chops on ICS products in the wake of the January contest, while more new ICS vendors are entering the market, according to Amir Preminger, vice president of research at Claroty, who also competed in the ICS Pwn2Own. The contest awarded a total of $280,000 in prize money to the winning teams.

Preminger expects many more ICS vulns to be reported publicly by the end of the year.

"We are going to witness a bigger spike as we go because of COVID," he says, which leaves critical infrastructure systems more at risk of attack given the heavier reliance on those systems as more people stay at home and work from home in the pandemic. Attention has also gone to helping OT organizations better secure their critical infrastructure systems, with the recent joint advisory from the US Department of Homeland Security's CISA and the National Security Agency, as well as an executive order issued by the White House earlier this year, he notes.

Look for more vulnerabilities and fixes in the second half, Preminger says.

The ICS flaws exposed this year were found in products used in critical infrastructure: The report shows that of the 385 flaws included in the security advisory, 236 affect the energy sector, 197 affect critical manufacturing, and 171 affect water and wastewater. That's an increase of 58.9% for energy, 87.3% for critical manufacturing, and 122% for water and wastewater over the same period in 2019.

"When you see so many remote control execution [flaws], that actually correlates with the fact you have a lot of newcomers [vendors]," Preminger says. Some of these vendors have no secure development life cycle program, and "some of these products never undergo any security review before releasing," he adds.

Dale Peterson, CEO of Digital Bond and head of the S4 conference, also points out that the data in Claroty's report mainly reflects researchers' intensified efforts in finding flaws in ICS systems.

"It's not reflecting risk to the ICS community, not reflecting that things are being more or less vulnerable," he says. "It doesn't change the risk profile or what asset owners do."

Just how a product gets remediated for a security flaw depends on whether fixing it would break a function or disrupt an industrial process.

"There are cases where vulnerabilities are in some isolated part of the application and you change [fix] it and it doesn't affect anything," Peterson explains. "There are other issues buried down deep so that if you make that change, a bunch of things are not going to work, so you can't just out a patch without breaking the system."

It can take anywhere from a month to a three months for a researcher to achieve remote code execution exploiting an ICS vulnerability, Preminger says. "It's not an 'if' but a 'when'" for an attacker to do the same, he notes.

"The bigger risk of COVID is ... what we saw in remote access vulns in ICS products," he says.

For industrial organizations, it's all about awareness of their ICSs' security holes and ensuring they are sitting securely on the network and not inadvertently exposed to the public Internet.

"Unfortunately, you still see a lot of them directly connected to the Internet," Preminger says. "Some of them are old and they just leave it on the Internet, and some are new and should not be connected, even if that device doesn't have a CVE. Attackers could use it for a botnet" or as a way to break into the network.

Patching isn't always the solution for OT organizations, of course, so it's matter of mapping out risk to the network.

"We're trying to advise customers how to better build their networks in terms of segmentation or layers," Preminger says. "Leveraging this [vuln] data, they can better design what they have up front or [determine] where to thicken their security layer against other vulnerabilities. They can better prioritize."

Of the 365 ICS vulns reported in the first half of 2020, 26 were discovered by Claroty, and more than half of those flaws are remotely exploitable.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27660
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2020-27659
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-29127
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
CVE-2020-25624
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...