According to the Dragos report “Industrial Control Vulnerabilities: 2017 in Review”, 163 vulnerabilities were identified in 2017, “Of these, the majority were vulnerabilities in insecure-by-design products which are typically deep within an ICS network,” the report says.
Further, according to Reid Wightman, senior vulnerability analyst, it was found that “public reports failed to adequately define the industrial impact of vulnerabilities. Coupled with the fact that most public vulnerability disclosures provide no alternative guidance beyond, patch, or use secure networks.”
An industrial control system is the set of devices and software that might be used to control any industrial process, from a water purification plant, through a mine processing plant to food manufacture and even a nuclear power plant. As well as sensors and actuators at the plant floor, there would be programmable logic controllers to electrically operate the plant as well as SCADA (supervisory control and data acquisition) computers for plant operators to view and manage the work of the plant.
|
|
• Sixty-four percent of vulnerability patches don't fully eliminate the risk because the components were insecure by design.
• Eighty-five percent of vulnerabilities apply late in the kill chain and are not useful to gaining an initial foothold. If these vulnerabilities are exploited, it is likely the adversary has been active in the network for some time and already pivoted through various other systems.
• Seventy-two percent of advisories provide no alternative mitigation guidance outside of patching, suggesting no method to reduce risk until after an update cycle.
• Sixty-three percent of vulnerabilities were found to affect either ICS hardware or software with no publicly available version (e.g., free, demo).
• Seventy-one percent caused loss of view, 63% caused loss of control and 61% caused both.
As part of their report, Dragos offered three broad recommendations.
Most ICS vulnerability assessments and impact analyses are overly broad and generally inadequate for asset owners to take any meaningful guidance. Dragos recommends that "vulnerability advisories must provide reasonable effective alternative options. Offer several alternatives which may not be applicable to all users but help some. This advice should include specific ports and services to restrict or monitor to reduce risk and impact from an attack, or specific system hardening recommendations to better defend systems from local exploitation".
Further, it says that "traditional IT impact assessments are insufficient for ICS/OT environmental risk analysis. Advisories should adopt ICS-specific metrics to better inform users of operational risks".
As always, patching is fraught in the ICS environment. Dragos observed that “major vendors have released patch-sets that triggered failures in end user systems". Further, it said: “Patches are rarely applied quickly in ICS environments due to concern that the patch may cause an operations outage. Recent patch failures are reinforcing this argument.”
To counter this, the company recommends: "The first step to starting a patch management program must be developing a ‘test’ or ‘development’ control systems network which contains samples of the actual plant’s critical systems. This allows for proper testing of patches, and minimises the risk of outage of any critical plant systems."
Dragos’ report along with a couple of more detailed ones may be found here.
