[German]The number of publicly disclosed vulnerabilities affecting medical devices, industrial control systems (ICS) or the extended Internet of Things (XIoT) is continuously increasing. In the last four years, the number of disclosed vulnerabilities in industrial control systems (ICS) has more than doubled (up 110%). In the second half of 2021 alone, the number increased by 25 percent compared to the previous six months. This is according to a corresponding report by security provider Claroty.
Currently, you can read about such vulnerabilities every day. At the beginning of March 2022, for example, German site heise reported on hard-coded credentials in industrial control systems from Schneider Electric. In the article TLStormTLStorm: 3 critical 0-day vulnerabilities put APC Smart UPS at risk, I had reported about vulnerabilities in the cloud connection of uninterruptible smart power supplies from the manufacturer APC. Security vendor Claroty has analyzed data from trusted open sources such as the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens, and compiled it into a report (which unfortunately is only available after registration). Therefore, here is some information from this report, which contains an analysis of the ICS vulnerabilities published in the second half of 2021.
- The number of disclosed ICS vulnerabilities has increased by 110 percent in the last four years. This shows that awareness of this issue has increased significantly and security researchers are increasingly including OT environments. 797 vulnerabilities were reported in the second half of 2021, up 25 percent from 637 in the first half of 2021.
- 34 percent of the vulnerabilities disclosed involve IoT, IoMT and IT components. Therefore, enterprises need to bring OT, IT and IoT together under converged security management. Operators of these systems need an accurate view of their environments to manage vulnerabilities and reduce their exposure.
- Half of the vulnerabilities (50%) were discovered by external specialists, most of them by researchers from cybersecurity companies that are shifting their focus to ICS in addition to IT and IoT security research. In addition, 55 new researchers reported security vulnerabilities.
- The number of vulnerabilities reported by in-house experts increased by 76 percent over the past four years. This underscores the growing importance of the discipline, as well as a higher level of maturity in vulnerability research, and shows that manufacturers are devoting increasing resources to the security of their products.
- 87 percent of vulnerabilities have low attack complexity, meaning they require no special conditions and attackers can expect repeatable success every time. 70 percent require no special privileges to successfully exploit a vulnerability, and 64 percent of vulnerabilities require no user interaction.
- 63 percent are remotely exploitable. This demonstrates that securing remote connections and devices is of paramount importance, especially as the need for secure remote access solutions, accelerated by the pandemic, continues unabated.
- Claroty's research division, Team82 uncovering 110 vulnerabilities in the second half of 2021 and more than 260 vulnerabilities overall.
- The most common potential impact is remote code execution (for 53% of vulnerabilities), followed by disruption (denial of service) (42%), bypassing protections (37%), and opportunities for attackers to read application data (33%).
- Key remediation measures include network segmentation (recommended for 21% of vulnerabilities), protection against ransomware, phishing and spam (15%), and traffic restrictions (13%).
On the one hand, the numbers are bad news, because the components are full of vulnerabilities and the stuff is networked to hell. On the other hand, it's a good sign that security researchers are looking at the components and disclosing vulnerabilities so that manufacturers and users can respond. Amir Preminger of Claroty comments:
As more cyber-physical systems become interconnected and access to these networks is gained via the Internet and the cloud, security managers need timely, useful vulnerability information so they can adjust their risk management accordingly. Increasing digital transformation, coupled with the convergence of ICS and IT infrastructure, is enabling researchers to extend their work beyond OT to the XIoT.
High-profile cyber incidents in the second half of 2021, such as the Tardigrade malware, the Log4j vulnerability, and the ransomware attack on gas station supplier Oiltanking, demonstrate the vulnerability of these networks and underscore the need for security researchers to work together to discover and disclose new vulnerabilities.
My question : The knowledge is there, but are users reacting accordingly and securing their systems? And are manufacturers providing appropriate security updates in a timely manner. The number of successful attacks shows that the homework is probably not always done.