Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/19/2020
02:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

ICS Vulnerability Reports Rapidly Rise

More scrutiny of products for industrial control systems is expected to expose even more weaknesses in devices that run critical infrastructure.

It started in January with an industrial control systems (ICS) hacking contest in Miami amid a sudden cold front that literally paralyzed and felled some of the city's tree-clinging iguana population. Inside a room adjacent to the lobby of South Beach's historic Fillmore theatre and safe from the elements (and falling lizards), security researchers hacked SCADA gateways, control servers, human-machine interfaces (HMIs), an engineering workstation, and other ICS software in the first-ever ICS Pwn2Own contest.

That the 25 ICS product entries were successfully hacked came as no big surprise since many ICSs, especially products from newcomer vendors, notoriously lack security features and contain insecure software. The event, run by Trend Micro's Zero-Day Initiative (ZDI) as part of the annual S4x20 ICS conference, had been expected to open the floodgates for more researcher scrutiny of ICS products - and new data published today shows that's exactly what ensued.

Related Content

Hacking the PLC via its Engineering Software

Aftermath of a Major ICS Hacking Contest

In the first half of 2020, there were 10.3% more ICS vulnerabilities reported in the National Vulnerability Database (NVD) and an increase of 32.4% of ICS-CERT advisories for vulns compared with one year earlier. More than 75% of the ICS flaws reported this year were rated high or critical, according to a report from ICS security firm Claroty. More than 70% of ICS flaws reported in the first half of 2020 are remotely exploitable, 365 ICS flaws landed in the NVD, and 139 advisories came via ICS-CERT, the data shows.

This is just the tip of the iceberg now that more researchers are training their hacking chops on ICS products in the wake of the January contest, while more new ICS vendors are entering the market, according to Amir Preminger, vice president of research at Claroty, who also competed in the ICS Pwn2Own. The contest awarded a total of $280,000 in prize money to the winning teams.

Preminger expects many more ICS vulns to be reported publicly by the end of the year.

"We are going to witness a bigger spike as we go because of COVID," he says, which leaves critical infrastructure systems more at risk of attack given the heavier reliance on those systems as more people stay at home and work from home in the pandemic. Attention has also gone to helping OT organizations better secure their critical infrastructure systems, with the recent joint advisory from the US Department of Homeland Security's CISA and the National Security Agency, as well as an executive order issued by the White House earlier this year, he notes.

Look for more vulnerabilities and fixes in the second half, Preminger says.

The ICS flaws exposed this year were found in products used in critical infrastructure: The report shows that of the 385 flaws included in the security advisory, 236 affect the energy sector, 197 affect critical manufacturing, and 171 affect water and wastewater. That's an increase of 58.9% for energy, 87.3% for critical manufacturing, and 122% for water and wastewater over the same period in 2019.

"When you see so many remote control execution [flaws], that actually correlates with the fact you have a lot of newcomers [vendors]," Preminger says. Some of these vendors have no secure development life cycle program, and "some of these products never undergo any security review before releasing," he adds.

Dale Peterson, CEO of Digital Bond and head of the S4 conference, also points out that the data in Claroty's report mainly reflects researchers' intensified efforts in finding flaws in ICS systems.

"It's not reflecting risk to the ICS community, not reflecting that things are being more or less vulnerable," he says. "It doesn't change the risk profile or what asset owners do."

Just how a product gets remediated for a security flaw depends on whether fixing it would break a function or disrupt an industrial process.

"There are cases where vulnerabilities are in some isolated part of the application and you change [fix] it and it doesn't affect anything," Peterson explains. "There are other issues buried down deep so that if you make that change, a bunch of things are not going to work, so you can't just out a patch without breaking the system."

It can take anywhere from a month to a three months for a researcher to achieve remote code execution exploiting an ICS vulnerability, Preminger says. "It's not an 'if' but a 'when'" for an attacker to do the same, he notes.

"The bigger risk of COVID is ... what we saw in remote access vulns in ICS products," he says.

For industrial organizations, it's all about awareness of their ICSs' security holes and ensuring they are sitting securely on the network and not inadvertently exposed to the public Internet.

"Unfortunately, you still see a lot of them directly connected to the Internet," Preminger says. "Some of them are old and they just leave it on the Internet, and some are new and should not be connected, even if that device doesn't have a CVE. Attackers could use it for a botnet" or as a way to break into the network.

Patching isn't always the solution for OT organizations, of course, so it's matter of mapping out risk to the network.

"We're trying to advise customers how to better build their networks in terms of segmentation or layers," Preminger says. "Leveraging this [vuln] data, they can better design what they have up front or [determine] where to thicken their security layer against other vulnerabilities. They can better prioritize."

Of the 365 ICS vulns reported in the first half of 2020, 26 were discovered by Claroty, and more than half of those flaws are remotely exploitable.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.