During the first half of 2021, 637 vulnerabilities affecting industrial control system (ICS) products were published, affecting products from 76 vendors.
Industrial cybersecurity firm Claroty published its third Biannual ICS Risk & Vulnerability Report that analyzes the vulnerability landscape relevant to leading automation products used across the ICS domain.
The company reported that during the first half of 2021, 637 vulnerabilities affecting industrial control system (ICS) products were published, affecting products from 76 vendors.
The cybersecurity firm warns that more than 70% of published vulnerabilities have been assigned critical or high severity ratings.
In the previous report published by the company and related 2H 2020 report, the number of vulnerabilities disclosed was 449, affecting 59 vendors.
It is interesting to note that most of the vulnerabilities disclosed in 1H 2021 (80.85%) were reported by sources external to the affected vendor, including third-party security firms, independent experts, and academics.
The analysis of vulnerabilities disclosed for each vendor revealed that Siemens was the vendor with the most reported vulnerabilities, 146, many of which were disclosed as part of internal research conducted by the Siemens CERT. the other vendors with the highest number of flaws are Schneider Electric (65) and Rockwell Automation (35).
A majority of the flaws impact products on the operations management level (historians, OPC servers), followed by the basic control (PLC, RTU), and supervisory control (HMI, SCADA) levels.
“The largest percentage of vulnerabilities disclosed during 1H 2021 affected Level 3 of the Purdue Model: Operations
Management (23.55%), followed by the Level 1: Basic Control (15.23%) and Level 2: Supervisory Control (14.76%).” states the report published by Claroty.
The security firm states that 61.38% of the disclosed vulnerabilities could be exploited in attacks from outside the IT or OT network, this data is worrisome by the good news is that the percentage is down from the 2H of 2020, when it was 71.49%. Vulnerabilities exploitable through local attack vectors rose to 31.55%, in the 2H 2020 the percentage was 18.93%.
“In 94.38% of the Operations Management vulnerabilities via a local attack vector, user interaction would be required
for exploitation. This reinforces the need for phishing and spam prevention, as well as awareness techniques that
would help stem the tide of ransomware and other potentially devastating attacks.” continues the report.
Experts pointed out that updating industrial control systems or SCADA software is often challenging for many reasons, this means that it is easy to find ICS-SCADA systems that are not updated in industrial environments and threat actors could target them.
Below are some statistics related to the mitigations and remediation:
- 25.59% of the 637 ICS vulnerabilities disclosed in 1H 2021 have no fix or only a partial remediation.
- Of the vulnerabilities with no, or partial, remediation, 61.96% were found in firmware.
- Of the vulnerabilities with no, or partial, remediation, 55.21% could result in remote code execution, and
- 47.85% could result in denial-of-service conditions when exploited successfully.
- Of the 74.4% vulnerabilities with remediation, 59.49% require software fixes.
- 6.43% of the 637 vulnerabilities affect end-of-life products that are no longer supported, meaning the product should be replaced. If a rip-and-replace is not possible, then any recommended mitigations should be applied.
- 51.22% of the vulnerabilities affecting end-of-life products were found in firmware.
Experts warn of ransomware and extortion attacks, especially targeting Level 1 devices, Colonial Pipeline is probably one of the most clamorous cases that made the headlines recently.
Large manufacturing operations and critical infrastructure are becoming target-rich environments for ransomware operators.
Additional data are reported in the Claroty’s ICS Risk & Vulnerability Report for H1 2021.
(SecurityAffairs – hacking, SCADA)