More than 70% of failures in industrial control systems are critical

Many companies are looking to take advantage of the benefits of connecting industrial equipment to the Internet and converging operational technologies and IT systems (OT-IT convergence). However, this movement has attracted the attention of threat actors, especially those who exploit vulnerabilities in this environment to promote attacks and extortion actions for profit.

A security.claroty.com/1H-vulnerability-report-2021" target="_blank" rel="noopener">report by industrial cybersecurity firm Claroty has revealed that in the first half of 2021, 637 vulnerabilities were found in industrial control systems (ICS) affecting products from 76 vendors. Of this total, almost 71% were classified as high-risk or critical. In 65% of the vulnerabilities, there was a chance of total lack of availability.

Some 81% of the vulnerabilities disclosed in this period were discovered by sources external to the vendors, including research institutions, independent researchers, and members of universities.

Most of the vulnerabilities affected operations management (23.5%), basic control systems (15.2%) and supervisory systems (14.8%). According to the report, operations management can be a critical intersection point with IT networks. These systems include servers and databases that are essential to the flow of production or that collect data to feed business area systems. Basic control systems include programmable logic controllers (PLCs), remote terminal units (RTUs), and other equipment monitoring components. Supervisory systems perform the man-machine interface and include elements that monitor data from the basic control.

In addition, the report data shows that 61.4% of vulnerabilities allow attacks from outside IT or OT networks. This level has fallen from the percentage recorded in the second half of 2020 (71.5%). On the other hand, vulnerabilities that can be exploited via local attack vectors increased from 18.9% in the second half of 2020 to 31.5%. For 72.1% of these vulnerabilities, the attacker relies on user interaction, for example through spam or phishing, to put their vulnerability exploitation actions into practice.

Mitigation and remediation

More than a quarter (25.6%) of the 637 vulnerabilities found in industrial control systems were not fixed or partially remediated. In this group, almost 62% of the flaws were found in the firmware. More than half (55.2%) could result in remote code execution and 47.9% could generate conditions for denial of service type attacks. In the other three quarters, those that were fixed, 59.5% required software fixes.

Of the total 637 vulnerabilities found, 6.5% affected end-of-life products that are no longer supported. In this group, 51.2% were found in the firmware.

Concerns of the US government

Recent cyber-attacks seen in the United States, including the one against Colonial Pipeline, the country’s largest oil pipeline, have shown the fragility of the country’s industrial control systems and cybersecurity of critical infrastructure, which is largely operated by the private sector.

Against this backdrop, President Biden signed a memorandum in July that addresses cybersecurity for critical infrastructure and efforts to address the threats against it. It formally establishes the Industrial Control Systems Cybersecurity Initiative, a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies that ensure threat visibility, indicators, detection, and warning systems.

The initiative began in mid-April with a pilot project in an electricity sub-sector, with more than 150 utilities serving nearly 90 million residential customers. A plan for gas pipelines is underway, and actions for other sectors will take place later this year, according to the memorandum.

The US Cyber and Infrastructure Security Agency (CISA) also maintains an initiative aimed at promoting cohesive efforts between government and industry that can improve the cybersecurity posture of industrial control systems (ICS). CISA helps identify and publicize vulnerabilities and develop strategies to mitigate the effects of potential incidents and reduce risk.

The CISA website provides warnings, containing a summary of security issues, vulnerabilities, and exploitation schemes, as well as alerts on threats or activities with the potential to impact networks of companies operating critical infrastructure.