Dragos, a security firm that specializes in industrial control systems (ICS) has released three year-in-review reports that cover vulnerabilities reported in 2018, the 2018 threat landscape, and lessons it learned in responding to ICS security incidents.

SEE: Information security policy template download (Tech Pro Research)

IT security professionals operating in an ICS environment should take a look at all three reports: Not only do they paint a picture of 2018’s shortcomings, particularly in the CVE arena, but they also paint a picture of what’s ICS organizations are likely to face in 2019.

For those too busy tackling ICS security here’s a summary of those reports and how cybersecurity professionals should respond to their findings.

Security advisories aren’t articulating actual risk

In its Industrial Controls System Vulnerabilities report, Dragos points out several statistics that should alarm anyone who relies on common vulnerabilities and exploits (CVE) reports to secure their networks.

For starters, 32% of them contained scoring errors that resulted in a misrepresented risk. Dragos didn’t say whether misreported risks were high or low, but regardless: Misreported risks could potentially waste security resources.

Some 82% of ICS CVEs “covered products which reside deep within a control system network, or which have no direct control systems interaction at all,” the report said. This means that ICSes aren’t actually at that great a risk from eight out of ten reported vulnerabilities.

While 68% of advisories addressed network-exploitable vulnerabilities, only 28% included mitigation advice, the report added.

The largest actionable takeaway from this report is for ICS security staff to work closely with hardware and software vendors. Only 18% of vendor advisories contained errors in their risk scoring, and error rates were also lower when security researchers reported errors to vendors instead of going through an external CERT process.

Security professionals who find a vulnerability in their system should report it to their vendor immediately–that gives it a much better chance of being properly addressed and patched.

No major incidents, but risk is still bubbling under the surface

Dragos’ threat landscape report covers not only major threats like the ICS-targeting hacking group XENOTIME, but also ways in which the threat landscape is evolving to create more risks for more ICS systems.

The report attributes four elements to an increase in risk over 2018:

  1. An increase in ICS network intrusion for research and reconnaissance purposes
  2. An increase in commodity malware (i.e., pre-packaged ready-to-deploy malware) and ransomware
  3. A rise in “living off the land” tactics that leverage legitimate network resources to further intrusion
  4. The compromise of several ICS vendors, which means threats for companies using their hardware

Zero day threats, the report said, aren’t a significant risk to ICSes, as there are plenty of ways for intruders to penetrate a network that rely on known risks and improper security of public facing ICS networks. The report also noted an increase in commercial penetration-testing tools being turned to nefarious use by hackers.

Defending against these attacks requires a “kill chain” approach that targets potential threats at each level of an attack. “Defenders can use a mix of modern threat detection strategies including indicator- or behavior-based methods, or approaches relying on modeling and configuration. Diversifying threat detection strategies can help asset owners and operators identify threats earlier, and achieve greater visibility into potential threats,” the report stated.

The third report covers Dragos’ own work in the ICS security sector in 2018. Of note from that report is:

  • The majority of engagements (55%) were with power companies, both those involved in generation and transmission. The remaining 44% was split equally between chemical, biomed, pharmaceutical, manufacturing, transportation and shipping, water utility, and wastewater treatment sectors.
  • Most of those engagements weren’t in response to actual security events, but were training and informational discussions to help teams better understand threats and how to respond to them.

Those findings, according to the report, point to a trend of increasing concern on the part of ICS security teams, which it said is a positive trend going forward.

The big takeaways for tech leaders:

  • CVE reports pertaining to ICS vulnerabilities are prone to error and most lack mitigation methods. Security professionals should look directly to vendors for solutions and security updates. — Dragos, 2019
  • 2018 saw a rise in non-zero day attacks, especially those that use existing network resources to propagate. Security professionals need to adopt a kill-chain security posture that accounts for each possible step in an intrusion. — Dragos, 2019

Also see: