More than 70% of the industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely, reinforcing a growing industry view that fully air-gapped ICS networks are becoming increasingly uncommon. The energy sector looks particularly exposed, the report suggests — or is becoming an area of key focus for security researchers as security programmes mature.
The figures were collated in a new biannual threat report from operational technology (OT) specialist Claroty, which assessed 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in H1.
The bugs affect 53 vendors. New York-based Claroty noted that 75% of vulnerabilities were assigned high or critical CVSS scores (82 were critical).
The report comes just four weeks after the US National Security Agency (NSA) warned that a “perfect storm” is brewing for businesses running OT/ICS assets, including Critical National Infrastructure (CNI) providers across 16 sectors — from dams to chemicals, government facilities and financial services to food, nuclear to defense.
Organisations should develop resilience plans that assume “a control system that is actively acting contrary to the safe and reliable operation of the process”, the agency said on July 23. Vulnerabilities are worsening as companies “increase remote operations and monitoring, accommodate a decentralised workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance…process operations and maintenance” the NSA said.
The energy, critical manufacturing, and water & wastewater infrastructure sectors were by far the most impacted by vulnerabilities published in ICS-CERT advisories during 1H 2020. Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water and wastewater had 171, Claroty noted — with water seeing a particular surge in CVEs.
ICS Vulnerabilities: “You found a what?”
Claroty’s research themselves discovered 26 ICS vulnerabilities in H1: largely in engineering workstations (EWS) and programmable logic controllers (PLCs).
As the company noted today: “For many of the vendors affected… this was their first reported vulnerability [and they had to] create dedicated security teams and processes to address rising vulnerability detections due to the convergence of IT and OT.”
To protect remote access connections, the company recommends four simple pillars to start with:
- Verify usage of patched VPN versions
- Monitor remote connections, particularly those to OT networks and ICS devices
- Enforce granular user-access permissions and administrative controls
- Enforce multi-factor authentication