ICS systems vulnerable to remote exploitation

By Dylan Bushell-Embling
Monday, 24 August, 2020

More than 70% of vulnerabilities in the industrial control systems (ICS) in use in critical infrastructure sectors that were disclosed during the first half of 2020 can be exploited remotely, research from operational technology security company Claroty suggests.

The remote exploitation of these systems comes as reliance on remote access to industrial networks grows — particularly in the energy, critical manufacturing, and water and wastewater infrastructure sectors — according to Claroty’s latest biannual ICS Risk & Vulnerability report.

An assessment of 365 ICS vulnerabilities published in the US National Vulnerability Database, as well as 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the half-year period, found that more than 75% were rated as high or critical.

In addition, ICS vulnerabilities published in the database grew 10.1% year on year, with ICS-CERT advisories up 32.4%.

The most common potential impact of the vulnerabilities assessed was remote code execution (RCE), possible with 49% of vulnerabilities.

The prominence of remote exploitation has only been exacerbated by the large-scale increase in employees left working from home amid COVID-19 restrictions, the research found.

After remote code exploitation, the most common threats uncovered include the ability to read application data (41%), cause denial of service (DoS, 39%) and bypass protection mechanisms (37%).

Meanwhile the research found that the energy sector was the most impacted by vulnerabilities in 1H20, followed by critical manufacturing, and water and wastewater. But year on year, the water and wastewater sector experienced the largest increase in common vulnerabilities and disclosures at 122.1%.

Claroty’s own researchers discovered 26 of the industrial control system vulnerabilities disclosed during the half-year period. More than 60% of these enable some form of remote code explotation.

The company said that, for many vendors affected, this was their first reported vulnerability. The vendors responded by creating dedicated security teams and processes to address the rising vulnerability detections due to the convergence of IT and operational technology.

“There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible,” Claroty VP of Research Amir Preminger explained.

“We recognised the critical need to understand, evaluate and report on the comprehensive ICS risk and vulnerability landscape to benefit the entire operational technology security community.”

Image credit: ©stock.adobe.com/au/onizu3d