Growing threat to manufacturing and industrial systems as vulnerabilities rise

The makers of operational technology and connected devices saw reported vulnerabilities grow by half in 2021, but other trends may be more disturbing, writes Robert Lemos for Dark Reading.

The real threats to industrial control systems (ICS) became clearer in 2021, as the number of vulnerabilities discovered in operational technology (OT) devices and the systems that manage those devices jumped by more than half, while ransomware groups continued to target manufacturing and critical infrastructure.

The number of vulnerabilities reported in 2021 increased 52% to nearly 1,440, compared with the previous year, according to industrial cyber security firm Claroty’s biannual report. In addition, cyber security researchers branched out — 21 of the 82 vendors affected by security flaws in their software or firmware had not previously had vulnerabilities reported in their systems. Nearly two-thirds of the discovered security issues could be exploited remotely, Claroty’s report stated.

The increase in vulnerabilities — as well as researchers’ forays into previously explored vendors’ products — shows that there is greater interest in industrial control systems, says Amir Preminger, Vice President of research at Claroty.

Reported ICS vulnerabilities increased by half in the past year, with an increasing number found internally. Source: Claroty Biannual ICS RIsk & Vulnerability Report, 2H 2021

“They [attackers] are trying to learn and gain access to industrial control systems, and these vulnerabilities are going to be their playground,” he says. “A lot of the vulnerabilities that we have seen do not require high complexity to exploit, and when you talk about ICS, the barrier is very, very low — you don’t have to hack three layers of the cloud to exploit these.”

The Colonial Pipeline wake-up call

IIoT and OT have become significant concerns for cyber security policy-makers because, by their nature, they turn digital threats into physical risks. The ransomware attack on the IT systems of petroleum-delivery firm Colonial Pipeline in May 2021, for example, led to the business shutting down oil and gas deliveries, resulting in surging gas prices and shortages at the pump.

In addition, cyber security researchers have seen an increased focus on industrial control systems, because attackers have targeted operational technology in the run-up to the Ukraine War. On Feb. 26, for example, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that Russia attackers had released significant attacks prior to the invasion of Ukraine, using two wiper programs to cause outages in government services.

Overall, attacks against critical infrastructure and industrial control systems have become more prevalent because an increasing body of research has given attackers a greater understanding of the systems and because cybercriminal schemes — most notably, ransomware — has made attacks against operational systems profitable, Dean Parsons, a certified SANS instructor and industrial cybersecurity professional, wrote in a recent SANS report.

“We are seeing adversaries are being more clever to attack industrial environments, because they see a quicker route to pay and pay more,” he says. “These threats will not go away because the adversaries are seeing a return on their investment.”

Because attackers also have more access to research on OT and ICS, that barrier to entry has practically disappeared. As a result, more vendors of industrial control systems, operational technologies, and Industrial Internet of Things (IIoT) devices are facing reported vulnerabilities in their products, according to the Claroty report. While Siemens, a major provider of industrial control technology, continues to be the vendor with the most reported vulnerabilities — 251 in the second half of 2021 — a quarter of the vendors in the second half and a third of the vendors in the first half did not have a vulnerability discovered in the past 12 months.

CavanImages/AlamyStock

“These are good examples of vendors that have had no CVE [identified vulnerability] in their products,” suddenly finding their technology under the microscope, Claroty’s Preminger says.” It is not due to the fact that they don’t have vulnerabilities. The increase is from security researchers finally getting ahold of the technology and being able to conduct research.”

Patching conundrum

Only 69% of the ICS vulnerabilities discovered in the second half of 2021 could be fully remediated, highlighting another issue of industrial control systems and OT — the difficulty in updating software and devices that are part of critical infrastructure.

“These cycles can take significantly longer than traditional IT patch management, often making mitigations the only remediation option open to defenders,” Claroty stated in its report. “Vendors and internal security analysts and managers must also prioritise tracking of vulnerabilities in end-of-life products and in products where updates may be challenging or downtime is unacceptable.”

While vulnerabilities are increasing, they are not the best measure of the risk facing manufacturers, since many companies — such as Siemens — are proactively finding the issues and closing them before attackers can exploit them. More important is that companies understand the actions that attackers are taking, whether exploiting specific vulnerabilities or finding other ways of attack critical infrastructure, says the SANS Institute’s Parsons.

ICS and OT security has different considerations than IT security, and they cannot be handled the same way, Parsons says.

“Sure there are vulnerabilities there, but we should not focus on the vulnerabilities, we should focus on what the adversaries are doing,” he says. “We need to have more network-specific visibility — without that, we are literally blind to what attackers are doing to the industrial control systems. Visibility is key to getting ahead of this stuff.”

In fact, 86% of companies that hired a cybersecurity provider had a lack of visibility across their operational technology networks, allowing external connections to their OT systems, according to a report by critical infrastructure security firm Dragos. The cybersecurity provider found that two groups — Conti and LockBit 2.0 — had made extensive use of industrial firms’ lack of visibility, accounting for 51% of ransomware attacks against companies.

This article first appeared on Dark Reading. Part of the Informa Network, Dark Reading is a trusted online community for cyber security professionals, including CISOs, cyber security researchers and technology specialists. Covering the latest threats, vulnerabilities and cyber attacks, Dark Reading supports community members in keeping up with the latest in the sector.

Register today for IFSEC 2023

16-18 May 2023, ExCeL London | IFSEC 2023: Recognising the past, embracing the future

Join thousands of likeminded security and risk professionals at IFSEC 2023 in May, as the UK's largest and longest running security event looks ahead to what's next in the sector as it celebrates its 50th birthday. This year will see the launch of the IFSEC distributor network, while London's new Elizabeth Line makes travel to the venue easier than ever!

You’ll find hundreds of leading exhibitors from the physical and integrated security sector, showcasing all the latest in video surveillance, access control, intruder detection, perimeter protection and software solutions. Join the community and secure your ticket today!

Secure your FREE ticket today!