365 ICS vulnerabilities were disclosed in the first half of the year, 75% of them are high or critical on the CVSS scale, and nearly three-quarters can be exploited remotely, according to a report.
A report on industrial control system (ICS) vulnerabilities from the first half of 2020 is shining a light on a rise in critical flaws in system security that can be remotely exploited by cybercriminals.
Compiled by operational technology (OT) security firm Claroty, the "ICS Risk & Vulnerability Report" combined publicly disclosed vulnerabilities and those discovered by Claroty to arrive at a total of 365 vulnerabilities in ICS systems from 53 vendors, three-quarters of which received CVSS scores ranking them as high or critical risks.
SEE: Identity theft protection policy (TechRepublic Premium)
To make matters more severe for companies operating ICS software, 70% of reported vulnerabilities could be exploited remotely using a network attack vector. The rapid shift to remote work because of the COVID-19 pandemic has increased the potential of remote attacks on ICS because of the increased amount of remote connections to OT networks that are typically air-gapped and otherwise cut off from the outside world.
The 365 reported vulnerabilities is a 10% increase over the first half of 2019 as well, but Claroty said that may not indicate an increase in the actual number of threats or a loosening security posture. "The primary factors are likely heightened awareness of the risks posed by ICS vulnerabilities and increased focus from researchers and vendors on identifying and remediating such vulnerabilities as effectively and efficiently as possible," the report said.
In terms of the vendors affected, Rockwell Automation accounted for nearly a quarter of vulnerabilities, Opto22 accounted for 16.7%, and B&R accounted for 13.3%. Other vendors like Siemens and Schneider Electric, made the list as well, but the first three mentioned account for the majority.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In terms of the types of systems affected, engineering workstations (EWS) accounted for 57.7% of vulnerabilities (of those discovered by Claroty), and programmable logic controllers (PLC) accounted for 28.9%, making those two the most affected by far.
"EWS often have some degree of connectivity to the IT network. They also have access to the shop floor and the PLCs that control physical processes within OT networks. For adversaries seeking to manipulate or compromise those physical processes, gaining access to an EWS provides an initial foothold. EWS are also generally considered to be prone to vulnerabilities, which—when combined with their tendency to have IT connectivity—can cause adversaries to perceive them as both desirable and viable targets," the report said.
Aside from ensuring all ICS systems are kept up to date, Claroty makes a number of recommendations on how to protect OT from known, and yet-to-be-discovered vulnerabilities. Its recommendations fall into three categories.
Protect remote access connections
Increased amounts of remote workers means more remote connections, and keeping those connections secure is essential. Make sure any VPNs being used are the latest versions, actively monitor remote connections to OT networks and ICS devices, use granular permissions, and force users to use multifactor authentication.
Prevent phishing attacks
All it takes is a single successful phishing attack for a user with access to sensitive systems to have their accounts (and thus, your OT and ICS networks) compromised.
Common anti-phishing tips apply here, like not opening emails from untrusted sources, avoiding clicking links in emails, never giving out passwords via email, etc. Claroty also recommends frequently backing up essential industrial control files and storing them offline in case of a ransomware attack.
Keep internet-facing ICS devices safe
Connecting an ICS device to the internet can sometimes be necessary, but it's also possible for a sensitive machine to end up online by neglecting to close a port or leaving a software setting toggled in the wrong direction. Claroty recommends at a bare minimum that all ICS operators should comply with Israel's CERT recommendations discussed in this article from TechRepublic sister site ZDNet.
In addition to following those recommendations, ICS operators should also:
- Protect all internet-connected ICS devices and ensure passwords are regularly changed.
- Assign permissions granularly to ensure that a user who needs access to one machine doesn't have access to others unnecessarily.
- Encrypt all remote access connections, enable access control lists, and ensure appropriate remote access tools are being used.
- Segment OT networks.
- Utilize continuous threat monitoring.
- Keep up-to-date on the latest threats to ICS systems and OT networks.
How to become a cybersecurity pro: A cheat sheet (TechRepublic)
Shadow IT policy (TechRepublic Premium)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)