Dragos confirms rise in publicly known flaws in systems supporting industrial operations

Researchers at industrial cybersecurity firm Dragos detected a three times rise in security threats in hyperconnected industrial environments, confirming a rise in publicly known flaws in systems supporting critical infrastructure and industrial operations.

The Hanover, Maryland-based company analyzed 703 vulnerabilities in industrial control systems (ICS) and operational technology (OT) environments in 2020, a jump of 29 percent from the previous year.

Dragos also found the existence of four new threat groups, primarily targeting energy and manufacturing, known as Kamacite, Stibnite, Talonite and Vanadinite, accounting for a 36 percent increase in known groups. Phishing to enable ICS intrusions, remote access directly to ICS used by threat actors, and supply chain concerns heightened by limited visibility in ICS environments were some of the key trends Dragos revealed in its ‘ICS Cybersecurity Year in Review 2020’ report.

Dragos said that the risk to ICS is not born merely from an IT and OT convergence, but instead from a convergence of an increasingly ICS aware and capable threat landscape with the digital transformation and hyperconnectivity of the industrial community.

“The convergence of an increasingly ICS-aware and capable threat landscape with the trend towards more network connectivity means that the practical observations and lessons learned contained in our 2020 YIR report are timely as the community continues to work to provide safe and reliable operations,” said Robert M. Lee, Dragos’ chief executive officer and co-founder.

Dragos estimates that 23 percent of vulnerabilities analyzed were in connection with products bordering the enterprise, such as networking communication equipment, VPNs (virtual private networks), data historians, or firewalls commonly deployed in ICS networks, going up from the 21 percent recorded in 2019.

The ICS-targeting adversaries have traditionally leveraged publicly known flaws for initial access to target environments and pose a risk to industrial operators, Dragos said. These vulnerabilities are of particular interest, as they can provide immediate access to the ICS networks bypassing enterprise security controls.

Around 77 percent of the vulnerabilities resided deep within the ICS network including engineering workstations, PLCs, and industrial controllers, Dragos said. These vulnerabilities require access to a control system network to exploit, offering some mitigation for organizations provided they implement proper network segmentation.

With the increasing connectivity in organizations, the security control is diminishing in value and should be enhanced with efforts such as network monitoring, and where possible, multi-factor authentication (MFA) for remote sessions.

Dragos finds that the rise in the reported number of ICS vulnerabilities overall coincided with a rise in the number of vendors providing patches alongside publicly known flaws. Twenty-two percent of advisories did not have a patch when announced, down from 26 percent year-over-year.

Many customers only monitored the IT to OT boundary without monitoring activity inside the ICS network, Dragos said. Although asset owners and operators follow many of the best practices and the applicable regulation, Dragos continues to observe instances of poor segmentation with unexpected or unknown connections from the ICS network.

While the Dragos threat data shows that the abuse of valid accounts is a favorite method employed by threat activity groups, it found that organizations continue to frequently share credentials between IT and OT networks. For instance, in the recent Oldsmar water plant hack, a cybersecurity advisory from the Commonwealth of Massachusetts revealed that “all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

Dragos researchers also identified several third-party vulnerabilities in the software supply chain that impacted ICS systems. Most notable were Ripple20 and Amnesia:33 vulnerabilities in third-party Internet Protocol (IP) stacks, such as those from Siemens and Schneider Electric. These third-party stacks are used in many embedded products, including some used in industrial products and industrial-supporting IT systems.

To improve ICS security going forward, Dragos recommends that users increase their network visibility through network monitoring, host logging, and maintaining a Collection Management Framework (CMF). Enterprises must aim to fully identify external routable network connections to ICS environments that were believed to be air-gapped. By carrying out ‘Crown Jewel Analysis,’ users can identify a digital attack path to impact a critical physical process.

Earlier this month, another industrial cybersecurity vendor Claroty disclosed a 25 percent rise for the second half of 2020 in ICS vulnerabilities compared to 2019, with over 70 percent of flaws remotely exploitable through network attack vectors. In its second ‘Biannual ICS Risk & Vulnerability Report,’ Claroty revealed that the critical manufacturing, energy, water and wastewater, and commercial facilities sectors, were by far the most impacted by vulnerabilities disclosed during the second half of last year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.