Many ICS flaws remain unpatched as attacks against critical infrastructure rise

Patching vulnerabilities in industrial environments has always been challenging due to interoperability concerns, strict uptime requirements, and sometimes the age of devices. According to a recent analysis, a third of vulnerabilities don’t even have patches or remediations available.

Out of 926 CVEs—unique vulnerability identifiers—that were included in ICS advisories from the US Cybersecurity and Infrastructure Security Agency (CISA) during the second half of 2022, 35% had no patch or remediation available from the vendor, according to an analysis by SynSaber, a security company that specializes in industrial asset and network monitoring.

Simply counting vulnerabilities without looking at their impact and likelihood of exploitation is far from an appropriate way of assessing risk, but the trend can be worrying at a time when the number of attacks against industrial equipment operators across various industries is on the rise. By comparison, the number of unpatched ICS flaws during the first half of the year were 13% out of a much lower 681.

“Even if there is a software or firmware patch available, asset owners still face a number of constraints,” the SynSaber researchers warned in their report. “One cannot simply patch ICS. Original equipment manufacturer (OEM) vendors often have strict patch testing, approval, and installation processes that delay any updates. Operators must consider interoperability and warranty restrictions to environment-wide changes in addition to waiting for the next maintenance cycle.”

Not all ICS flaws are equal

Vulnerabilities can differ in many ways aside from just having different criticality scores and will impact different environments differently. For example, memory corruption vulnerabilities such as out-of-bounds writes can lead to arbitrary code execution or application crashes (denial of service). The former is obviously more serious in general, but in an ICS context where devices are used to supervise and carry out critical physical processes, denial of service can have more severe implications than inside typical IT environments.

According to a new report from ICS and IoT security company Nozomi Networks, out-of-bounds writes and out-of-bounds reads were the most common weaknesses (CWEs) associated with CVEs in CISA advisories between July and December 2022. The top 10 list is completed by:

• Improper input validation (CWE-20)
• Improper access control (CWE-284)
• Improper limitation of a pathname to a restricted directory also known as path traversal (CWE-22)
• Missing authentication for critical function (CWE-306)
• Improper neutralization of input during web page generation aka cross-site scripting (CWE-79)
• Use of hard-coded credentials (CWE-798)
• Stack-based buffer overflow (CWE-121)
• Improper neutralization of special elements used in a SQL command – a.k.a. SQL injection (CWE-89)

The CISA advisories impacted 184 unique products from 70 different vendors with the most affected sectors being critical manufacturing, energy, water systems, healthcare, and transportation. Moreover, around two-thirds (69%) of ICS vulnerabilities disclosed during the second half of 2022 were high (58%) or critical (13%), according to their CVSS scores.

The good news is that the likelihood of a vulnerability being exploited in ICS environments differs from enterprise IT due to factors like network accessibility and user interaction. OT (operational technology) environments and devices should have better segmentation and should be separated from IT networks with strict access controls, so at least in theory it should be harder for attackers to reach these devices if best practices are followed.

According to SynSaber’s analysis, 104 CVEs (11%) required both local network or physical access to the device to exploit as well as user interaction. Another 25% required user interaction regardless of network availability. Examples of such vulnerabilities are those that involve the plaintext storage of a password (CWE-798) or cross-site scripting (CWE-79).

“In this example, the attacker must have physical access to the device and be able to interact with the system flash memory in order to gain access to plaintext passwords,” the SynSaber researchers said. “It’s possible that an attacker may acquire or steal a device, extract passwords from flash memory, and then reuse those credentials for an attack. These chains of events require physical and logical access along with other caveats.”

Furthermore, the location of the vulnerability inside the stack matters as it will influence the level of patching required. For example, flaws in applications that run on a device are easier to patch because they could only require a software update. Others that are deeper in the operating system components might need a firmware update that requires taking all the impacted devices offline. This could prove problematic for numerous reasons: Devices are deployed in the field at remote and hard to access locations, the devices can’t be taken offline except on scheduled maintenance periods and so on. Then there are protocol vulnerabilities, which could impact an entire architecture and could require the upgrade of multiple devices and accompanying systems to maintain interoperability.

“A significant number of industrial devices can only be updated via a firmware image flash that may contain changes to functionality in addition to remediating security, let alone the risk of ‘bricking’ a device during the process,” the SynSaber researchers said.

According to SynSaber, 63% of the flaws in H2 2022 required a software fix, 33% required firmware updates and 4% required protocol updates. The incidence of firmware and protocol flaws was lower than in H1, but overall, around 35% of CVEs had no patch or remediation available from the vendor and many of them could remain forever-days because the products are no longer supported or the vendor doesn’t plan to release fixes.

SecurityScorecard, a company that specializes in rating cybersecurity postures, analyzed all critical manufacturing organizations included in the Global 2000 Forbes list and found that 48% of them had a rating of F, D, or C according to its scoring criteria. In particular the Patching Cadence, one of the factors tracked by the company, saw a drop from 88 (B rating) to 76 (C rating) for the critical manufacturing sector from 2021 to 2022.

“The Patching Cadence factor analyzes how many out-of-date assets a company has and the rate at which organizations remediate and apply patches compared to peers,” the SecurityScorecard team said in its report. “This decline is likely due to an increased volume of vulnerabilities. Critical manufacturing experienced a 38% year-over-year increase in high vulnerabilities.”

A spike in hybrid threats to ICS

ICS environments used to be primarily a target for sophisticated cyberespionage or cyber sabotage groups often associated with national governments and their intelligence agencies. However, traditional cybercrime groups such as ransomware gangs and hacktivists are also increasingly targeting critical manufacturing and healthcare companies, which could lead to disruptions in assets considered critical infrastructure.

In June, a hacktivist group dubbed Gonjeshke Darandethat caused production line disruptions at three Iranian steel companies. The same group used wiper malware earlier last year against Iran’s train system. Ransomware group BlackCat was behind an attack against Italian state-owned energy services firm GSE as well as Columbian energy supplier EPM. A cyberattack with economic motives against Supeo, an asset management solutions provider to railway companies, caused disruptions to train schedules in Denmark. Hive ransomware hit Tata Power, India’s largest power company, and ransomware gang LockBit hit Continental, an automotive and rail technology giant.

“Over the past six months we have seen cyberattacks on critical infrastructure affecting industries ranging from transportation to healthcare,” researchers from Nozomi Networks said. “Continued attacks on railroads have prompted guidelines to help rail operators secure their assets. Hacktivists have opted to use wiper malware to launch disruptive attacks on critical infrastructure, to further their political stance in the Russia/Ukraine war.”

Moreover, the lines between APT and cybercrime attacks have blurred, with nation-state actors adopting ransomware-like destructive techniques and cybercriminals adopting nation-state persistence and stealthiness tactics. Last week members of the hacktivist group GhostSec bragged about managing to encrypt an RTU (remote terminal unit), even though it was a 3G router with serial communication capabilities that would fall more in the “communications gateway” category. In the ICS space, RTUs are specialized programmable systems that link field ICS devices to SCADA (supervisory control and data acquisition) systems.

Based on anonymized telemetry collected by Nozomi Networks from customer ICS environments, the most common types of intrusion alerts observed were cleartext password and weak passwords, followed by suspicious packet rule matches, weak encryption, TCP SYN flood and malformed network packets. All these vectors could be used to exploit different types of vulnerabilities. In terms of malware seen in OT environments, the most common types were RATs (remote access trojans) with 3,392 detection alerts.

According to SecurityScorecard, 37% of critical manufacturing organizations had malware infections in 2022, a rise from 2021. “Critical manufacturing stands out as a sector that has a long way to go in terms of achieving cyber resilience,” the company said. “As defined by CISA, critical manufacturing includes Primary Metals Manufacturing, Machinery Manufacturing, Electrical Equipment, Appliance and Component Manufacturing, and Transportation Equipment Manufacturing.”