Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:35 PM
Connect Directly

ICS Vulnerability Reports Rapidly Rise

More scrutiny of products for industrial control systems is expected to expose even more weaknesses in devices that run critical infrastructure.

It started in January with an industrial control systems (ICS) hacking contest in Miami amid a sudden cold front that literally paralyzed and felled some of the city's tree-clinging iguana population. Inside a room adjacent to the lobby of South Beach's historic Fillmore theatre and safe from the elements (and falling lizards), security researchers hacked SCADA gateways, control servers, human-machine interfaces (HMIs), an engineering workstation, and other ICS software in the first-ever ICS Pwn2Own contest.

That the 25 ICS product entries were successfully hacked came as no big surprise since many ICSs, especially products from newcomer vendors, notoriously lack security features and contain insecure software. The event, run by Trend Micro's Zero-Day Initiative (ZDI) as part of the annual S4x20 ICS conference, had been expected to open the floodgates for more researcher scrutiny of ICS products - and new data published today shows that's exactly what ensued.

Related Content

Hacking the PLC via its Engineering Software

Aftermath of a Major ICS Hacking Contest

In the first half of 2020, there were 10.3% more ICS vulnerabilities reported in the National Vulnerability Database (NVD) and an increase of 32.4% of ICS-CERT advisories for vulns compared with one year earlier. More than 75% of the ICS flaws reported this year were rated high or critical, according to a report from ICS security firm Claroty. More than 70% of ICS flaws reported in the first half of 2020 are remotely exploitable, 365 ICS flaws landed in the NVD, and 139 advisories came via ICS-CERT, the data shows.

This is just the tip of the iceberg now that more researchers are training their hacking chops on ICS products in the wake of the January contest, while more new ICS vendors are entering the market, according to Amir Preminger, vice president of research at Claroty, who also competed in the ICS Pwn2Own. The contest awarded a total of $280,000 in prize money to the winning teams.

Preminger expects many more ICS vulns to be reported publicly by the end of the year.

"We are going to witness a bigger spike as we go because of COVID," he says, which leaves critical infrastructure systems more at risk of attack given the heavier reliance on those systems as more people stay at home and work from home in the pandemic. Attention has also gone to helping OT organizations better secure their critical infrastructure systems, with the recent joint advisory from the US Department of Homeland Security's CISA and the National Security Agency, as well as an executive order issued by the White House earlier this year, he notes.

Look for more vulnerabilities and fixes in the second half, Preminger says.

The ICS flaws exposed this year were found in products used in critical infrastructure: The report shows that of the 385 flaws included in the security advisory, 236 affect the energy sector, 197 affect critical manufacturing, and 171 affect water and wastewater. That's an increase of 58.9% for energy, 87.3% for critical manufacturing, and 122% for water and wastewater over the same period in 2019.

"When you see so many remote control execution [flaws], that actually correlates with the fact you have a lot of newcomers [vendors]," Preminger says. Some of these vendors have no secure development life cycle program, and "some of these products never undergo any security review before releasing," he adds.

Dale Peterson, CEO of Digital Bond and head of the S4 conference, also points out that the data in Claroty's report mainly reflects researchers' intensified efforts in finding flaws in ICS systems.

"It's not reflecting risk to the ICS community, not reflecting that things are being more or less vulnerable," he says. "It doesn't change the risk profile or what asset owners do."

Just how a product gets remediated for a security flaw depends on whether fixing it would break a function or disrupt an industrial process.

"There are cases where vulnerabilities are in some isolated part of the application and you change [fix] it and it doesn't affect anything," Peterson explains. "There are other issues buried down deep so that if you make that change, a bunch of things are not going to work, so you can't just out a patch without breaking the system."

It can take anywhere from a month to a three months for a researcher to achieve remote code execution exploiting an ICS vulnerability, Preminger says. "It's not an 'if' but a 'when'" for an attacker to do the same, he notes.

"The bigger risk of COVID is ... what we saw in remote access vulns in ICS products," he says.

For industrial organizations, it's all about awareness of their ICSs' security holes and ensuring they are sitting securely on the network and not inadvertently exposed to the public Internet.

"Unfortunately, you still see a lot of them directly connected to the Internet," Preminger says. "Some of them are old and they just leave it on the Internet, and some are new and should not be connected, even if that device doesn't have a CVE. Attackers could use it for a botnet" or as a way to break into the network.

Patching isn't always the solution for OT organizations, of course, so it's matter of mapping out risk to the network.

"We're trying to advise customers how to better build their networks in terms of segmentation or layers," Preminger says. "Leveraging this [vuln] data, they can better design what they have up front or [determine] where to thicken their security layer against other vulnerabilities. They can better prioritize."

Of the 365 ICS vulns reported in the first half of 2020, 26 were discovered by Claroty, and more than half of those flaws are remotely exploitable.


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...
PUBLISHED: 2021-04-15
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
PUBLISHED: 2021-04-15
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.