It started in January with an industrial control systems (ICS) hacking contest in Miami amid a sudden cold front that literally paralyzed and felled some of the city's tree-clinging iguana population. Inside a room adjacent to the lobby of South Beach's historic Fillmore theatre and safe from the elements (and falling lizards), security researchers hacked SCADA gateways, control servers, human-machine interfaces (HMIs), an engineering workstation, and other ICS software in the first-ever ICS Pwn2Own contest.
That the 25 ICS product entries were successfully hacked came as no big surprise since many ICSs, especially products from newcomer vendors, notoriously lack security features and contain insecure software. The event, run by Trend Micro's Zero-Day Initiative (ZDI) as part of the annual S4x20 ICS conference, had been expected to open the floodgates for more researcher scrutiny of ICS products - and new data published today shows that's exactly what ensued.
In the first half of 2020, there were 10.3% more ICS vulnerabilities reported in the National Vulnerability Database (NVD) and an increase of 32.4% of ICS-CERT advisories for vulns compared with one year earlier. More than 75% of the ICS flaws reported this year were rated high or critical, according to a report from ICS security firm Claroty. More than 70% of ICS flaws reported in the first half of 2020 are remotely exploitable, 365 ICS flaws landed in the NVD, and 139 advisories came via ICS-CERT, the data shows.
This is just the tip of the iceberg now that more researchers are training their hacking chops on ICS products in the wake of the January contest, while more new ICS vendors are entering the market, according to Amir Preminger, vice president of research at Claroty, who also competed in the ICS Pwn2Own. The contest awarded a total of $280,000 in prize money to the winning teams.
Preminger expects many more ICS vulns to be reported publicly by the end of the year.
"We are going to witness a bigger spike as we go because of COVID," he says, which leaves critical infrastructure systems more at risk of attack given the heavier reliance on those systems as more people stay at home and work from home in the pandemic. Attention has also gone to helping OT organizations better secure their critical infrastructure systems, with the recent joint advisory from the US Department of Homeland Security's CISA and the National Security Agency, as well as an executive order issued by the White House earlier this year, he notes.
Look for more vulnerabilities and fixes in the second half, Preminger says.
The ICS flaws exposed this year were found in products used in critical infrastructure: The report shows that of the 385 flaws included in the security advisory, 236 affect the energy sector, 197 affect critical manufacturing, and 171 affect water and wastewater. That's an increase of 58.9% for energy, 87.3% for critical manufacturing, and 122% for water and wastewater over the same period in 2019.
"When you see so many remote control execution [flaws], that actually correlates with the fact you have a lot of newcomers [vendors]," Preminger says. Some of these vendors have no secure development life cycle program, and "some of these products never undergo any security review before releasing," he adds.
Dale Peterson, CEO of Digital Bond and head of the S4 conference, also points out that the data in Claroty's report mainly reflects researchers' intensified efforts in finding flaws in ICS systems.
"It's not reflecting risk to the ICS community, not reflecting that things are being more or less vulnerable," he says. "It doesn't change the risk profile or what asset owners do."
Just how a product gets remediated for a security flaw depends on whether fixing it would break a function or disrupt an industrial process.
"There are cases where vulnerabilities are in some isolated part of the application and you change [fix] it and it doesn't affect anything," Peterson explains. "There are other issues buried down deep so that if you make that change, a bunch of things are not going to work, so you can't just out a patch without breaking the system."
It can take anywhere from a month to a three months for a researcher to achieve remote code execution exploiting an ICS vulnerability, Preminger says. "It's not an 'if' but a 'when'" for an attacker to do the same, he notes.
"The bigger risk of COVID is ... what we saw in remote access vulns in ICS products," he says.
For industrial organizations, it's all about awareness of their ICSs' security holes and ensuring they are sitting securely on the network and not inadvertently exposed to the public Internet.
"Unfortunately, you still see a lot of them directly connected to the Internet," Preminger says. "Some of them are old and they just leave it on the Internet, and some are new and should not be connected, even if that device doesn't have a CVE. Attackers could use it for a botnet" or as a way to break into the network.
Patching isn't always the solution for OT organizations, of course, so it's matter of mapping out risk to the network.
"We're trying to advise customers how to better build their networks in terms of segmentation or layers," Preminger says. "Leveraging this [vuln] data, they can better design what they have up front or [determine] where to thicken their security layer against other vulnerabilities. They can better prioritize."
Of the 365 ICS vulns reported in the first half of 2020, 26 were discovered by Claroty, and more than half of those flaws are remotely exploitable.