An increasing number of vulnerabilities are leaving our critical national infrastructure (CNI) exposed to cyberattacks from threat actors with geopolitical or corporate espionage motives, looking to cause disruption, economic harm or damage the health and wellbeing of citizens.
These vulnerabilities are being found in the industrial control systems (ICS) that are critical for the functioning of CNI. If threat actors gain control to any of these systems, they can change how they function or stop them from working altogether, which could have far-reaching consequences.
To prevent their ICS being taken over by threat actors, organizations in key industries such as energy, manufacturing and pharmaceuticals need to know what these vulnerabilities are and what measures to put in place to mitigate them.
About the author
Amir Preminger is VP of Research at Claroty
The rise of vulnerabilities
Our recent research revealed that the number of ICS security flaws published by The National Vulnerability Database (NVD) and in vulnerability advisories reported by the Industrial Control System Cyber Emergency Response Team (ICS-CERT) had risen year-on-year.
We found that the number of ICS-CERT advisories published in the first half of 2020 was nearly a third greater than for the same period in 2019, whereas the 365 vulnerabilities reported by the NVD in 2020 increased 10.3% from the previous year.
For specific industries these rises were even higher. For example, the water and wastewater sector saw a 122.1% upsurge in ICS-CERT vulnerabilities, critical manufacturing experienced an 87.3% increase, while in the energy sector it was 58.9%.
Such growth is due to a number of factors, including the fact that ICS are now more connected to the internet than ever before, however updating them with the latest patches can prove problematic. It is also important to note that this rise is also in part due to greater awareness of these vulnerabilities, and researchers and vendors giving more priority to identifying and remediating them as effectively as possible.
Increased connectivity
Traditionally ICS equipment and the operational technology (OT) networks on which they run were completely siloed (or air-gapped) from IT networks, making it next to impossible for threat actors to target them remotely. Yet, in a drive for greater efficiencies through automation technologies, businesses have been increasingly integrating their OT infrastructure with their IT networks.
As this becomes more common, the responsibility for managing the security of the OT network increasingly falls to IT security teams, many of which mistakenly assume that they can simply apply the IT security protocols they are familiar with to the OT network. However, this is not the case as, for instance, uptime takes priority over protecting data on OT networks, meaning it is difficult to carry out standard IT security activities such as patching and software maintenance. Despite this and other glaring differences between IT and OT, organisations are still forging ahead with their IT/OT integration plans while being none the wiser.
Remote exploitation
Our research found that more than 70% of the vulnerabilities published by the NVD can be exploited remotely, highlighting that air-gapped OT networks are now exceptionally rare. For example, one way in which the air gap has been closed is through engineering workstations (EWS) that connect to both the OT and IT networks by necessity. Such a link makes them an attractive target for threat actors, as once they have infiltrated the IT network, they can then use the EWS to move onto the OT network. After gaining control, threat actors are able to access other areas of the OT including programmable logic controllers (PLCs), which enable them to tamper with physical processes.
The research also found that EWS products contained more than half of the vulnerabilities discovered, while PLCs make up a quarter. Using these vulnerabilities, threat actors are able to perform actions such as remote code execution (RCE), which enables them to send commands remotely to establish permanence and conduct lateral movement. RCE was possible with nearly half of identified vulnerabilities (49%), followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%).
Disclosing vulnerabilities
While it might seem counterintuitive, sharing any discovered vulnerabilities with the ICS community is essential for keeping threat actors at bay. It not only enables vendors and researchers to find new methods to mitigate these risks, but also warns others using the same systems that they need to take action to limit the ability of threat actors to exploit these vulnerabilities.
Some might be reluctant to share their knowledge as they believe it might make them a target for threat actors, however, it is important to note that if a vendor is affected by a large number of vulnerabilities, this does not necessarily mean that they have poor security posture. Instead, it more likely signifies that the company is dedicating resources to test out its products in order to proactively find these vulnerabilities and work to resolve them.
To help the wider industry, CNI organisations need to put in place a system for automatically gathering information about disclosed vulnerabilities and comparing them to their own ICS. However, this can only be effective if all vendors are open about their vulnerabilities and are willing to share them.
Protecting ICS isn’t always simple
ICS are by their nature multifaceted, complex systems and there is no simple solution for mitigating all the vulnerabilities present. Instead a multi-layered approach is necessary.
As our research demonstrates, CNI and key manufacturing industries need to take action to protect remote access connections. This is now more important than ever, as such a high number of workers are having to operate systems remotely due to the restrictions of COVID-19 lockdowns.
Granular access permissions that allow workers to only use the exact functions needed to carry out their job should be introduced to prevent threat actors from easily moving around the network, jumping from one device to another. By controlling these permissions with multifactor authentication (MFA), organisations can thwart hackers who use techniques such as brute force to crack passwords and gain access to the network. MFA also helps to mitigate some of the dangers posed by social engineering, in which threat actors use fake emails and websites to get employees to reveal their login credentials. To further reduce the danger of social engineering-based threats, employees should also receive training on how to spot malicious emails, and what to do if they receive one.
Furthermore, collaboration between IT and OT security teams is vital to keep the entire ICS environment safe. In this way, any vulnerabilities on the IT network can be analysed to determine if they will have any impact on OT and vice versa. Such a capability can only be effective through having a unified view of both the OT and the IT networks, as well as experts who understand the nuances between them.
As the connectivity between OT and IT inevitably increases due to the demands of greater efficiencies, so too will the potential vulnerabilities that need to be mitigated. It is therefore now more important than ever that security teams working in CNI put in place measures that enable them to quickly and effectively detect and respond to any threats, whether they occur on the IT or OT network.