View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 20, 2020updated 08 Jul 2022 5:01am

Industrial (Remote) Control: RCE Vulnerabilities for ICS Suggest the Air Gap is Gasping its Last

ICS vulnerabilities across 54 vendors analysed

By CBR Staff Writer

More than 70% of the industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely, reinforcing a growing industry view that fully air-gapped ICS networks are becoming increasingly uncommon. The energy sector looks particularly exposed, the report suggests — or is becoming an area of key focus for security researchers as security programmes mature.

The figures were collated in a new biannual threat report from operational technology (OT) specialist Claroty, which assessed 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in H1.

The bugs affect 53 vendors. New York-based Claroty noted that 75% of vulnerabilities were assigned high or critical CVSS scores (82 were critical).

The report comes just four weeks after the US National Security Agency (NSA) warned that a “perfect storm” is brewing for businesses running OT/ICS assets, including Critical National Infrastructure (CNI) providers across 16 sectors — from dams to chemicals, government facilities and financial services to food, nuclear to defense.

See also: BP’s CISO: Sclerotic Gov’t Agencies “Still Polishing Intel” as Adversaries Move

Organisations should develop resilience plans that assume “a control system that is actively acting contrary to the safe and reliable operation of the process”, the agency said on July 23. Vulnerabilities are worsening as companies “increase remote operations and monitoring, accommodate a decentralised workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance…process operations and maintenance” the NSA said.

The energy, critical manufacturing, and water & wastewater infrastructure sectors were by far the most impacted by vulnerabilities published in ICS-CERT advisories during 1H 2020. Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water and wastewater had 171, Claroty noted — with water seeing a particular surge in CVEs.

ICS Vulnerabilities: “You found a what?”

Claroty’s research themselves discovered 26 ICS vulnerabilities in H1: largely in engineering workstations (EWS) and programmable logic controllers (PLCs).

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

As the company noted today: “For many of the vendors affected… this was their first reported vulnerability [and they had to] create dedicated security teams and processes to address rising vulnerability detections due to the convergence of IT and OT.”

To protect remote access connections, the company recommends four simple pillars to start with:

  1. Verify usage of patched VPN versions
  2. Monitor remote connections, particularly those to OT networks and ICS devices
  3. Enforce granular user-access permissions and administrative controls
  4. Enforce multi-factor authentication

Read this: Is It Time for Infosec Pros to Shut Up About OT Security and Listen, for Once?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.