Operational technology (OT) is facing increased scrutiny from the security research community—as well as from threat actors—in a race to find and fix vulnerabilities before they're exploited, and the safety and reliability of critical systems is put to the test.
To that end, I'm excited to share that the Claroty Research Team recently concluded an in-depth analysis of industrial control system (ICS) vulnerabilities disclosed and patched during the first half of the year. The results identify some trends of note to OT security practitioners and technology providers, and provide context to the risks faced by OT networks. They were published today in the inaugural Claroty Biannual ICS Risk & Vulnerability Report.
As a member of the Claroty Research Team and primary author of this report, I recognize the considerable challenges posed by ICS vulnerabilities and am proud to have supported research that aims to further illuminate these challenges and their implications for practitioners, vendors, and other researchers.
"There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible," said Amir Preminger, VP of Research at Claroty, who also contributed to the report.
The dataset making up our research included the 365 vulnerabilities in ICS products sold by 53 vendors published during the first half of the year by the National Vulnerability Database (NVD). We also examined 139 advisories published by the Industrial Control System Computer Emergency Response Team (ICS-CERT). More than 70% of those flaws are exploitable remotely over the network, reinforcing the notion that air-gapped OT networks are uncommon and these networks are no longer isolated from cybersecurity threats.
Compounding the risk posed by remotely exploitable vulnerabilities is the rapidly rising number of remote workers. OT operators have not been spared this phenomenon during the COVID-19 pandemic, and are connecting remotely to ICS networks at an unprecedented rate. This dynamic, in parallel with the rise in remotely exploitable bugs, should enhance the focus on OT vulnerabilities.
Our team this year, meanwhile, has disclosed 26 vulnerabilities that have been patched by vendors, largely those with massive install bases and that are important providers within industrial operations. Security flaws in engineering workstations and programmable logic controllers (PLCs) make up the majority of vulnerable product types that we discovered. Not only are engineering workstations and PLCs critical to industrial operations, but they are also appealing targets for adversaries.
Engineering workstations, for example, often connect to IT networks, and a successful exploit against vulnerable workstations give attackers an initial network foothold. PLCs, meanwhile, largely control physical processes within OT networks, and attacks against those units can affect the reliability of plant processes, for example.
Among the 26 vulnerabilities found by Claroty, more than 60% enable remote code execution against OT networks. Others allow for denial-of-service attacks, or power-over-ethernet attacks.
In all, there was a 10.3% year-over-year increase in vulnerabilities published by the NVD during the first half of the year compared to 2019; three-quarters of these vulnerabilities were assigned critical or high-severity ratings. There was also a 32.4% increase in the number of ICS-CERT advisories published so far this year compared to last year; third-party researchers accounted for more than 71% of ICS-CERT advisories attesting to their critical role in vetting ICS device security.
Today's report also enumerates the ICS vendors and products mentioned in NVD and ICS-CERT advisories, and breaks them down by critical industry and the impact of the respective vulnerabilities on each industry.
Claroty's Chief Product Officer, Grant Geyer, will also be providing a deeper look at the report's findings during a live webinar and Q&A session on August 27th. Register Here.
CWE-79 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING')
The affected product is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-787 OUT-OF-BOUNDS WRITE
The affected product is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 7.6
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
