ALPS blog

An In-Depth Look at ICS Vulnerabilities Part 1

Every year, vulnerabilities are discovered and registered to a Common Vulnerabilities and Exposures (CVE) ID by the MITRE Corporation. Each vulnerability’s details are recorded, and specialists also include how to mitigate them under their CVE ID. Vulnerabilities that can affect industrial control system (ICS) environments are identified to the public through advisories by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In this blog series, our team conducted an in-depth look at ICS vulnerabilities using MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for ICS. We chose ATT&CK because we believe it to be the best existing framework for analyzing cyberattacks by skill sets, tools, targets, and possible impact due to its basis in real-world observation of cyber attackers’ methods. We also used the Purdue model as it maps an operational technology environment into layers that can be used to show the potential impact.

ICS-CERT Advisories: 2010 onwards

Figure 1. ICS-CERT Advisories by Year

This chart shows how the number of advisories has increased year-over-year since the dawn of the ICS-CERT advisory program, with particular spikes in 2017 and 2021. ICS-CERT advisories are published when an ICS vulnerability is released that attackers could use to cause harm, and most ICS-CERT advisories will contain multiple related vulnerabilities.

2021 shows 389 ICS-CERT advisories, this is over 100 more than 2020’s 249 advisories, showing the largest year-to-year growth in the history of the program. As typical in recent years, these advisories regularly placed a high focus on security awareness education and increased cybersecurity preparation. The ever-increasing number of CVEs affecting ICS environments also highlights the near impossibility of comprehensively addressing each specific vulnerability.

Figure 2. ICS Cyber Threat Timeline from 2010 to 2020

In 2010 the notorious Stuxnet attack was identified. This would prove the viability of large-scale cyberattacks targeting ICSs.

Though only a meager 20 ICS-CERT advisories were put out that year, the numbers immediately began climbing every year. The ICS-related CVEs identified in advisories show what can be a link between years in which there were major ICS cyber threats and the number of CVEs identified in advisories.

2017 was also a pivotal turning point for ICS-targeted cyber attacks. During this year, the WannaCry ransomware based on the EternalBlue vulnerability spread, triggering a widespread cyber incident. This also signaled the start of cybercriminal attacks on the ICS environment becoming more common.

Figure 3. CVES Identified In ICS-CERT Advisories by year

In this chart, we can see that the number of identified CVEs continues to rise from 2010 to 2021, totaling over 4000 CVEs since the creation of the ICS-CERT program.

From 2010 to 2021, 4436 ICS-affecting CVEs in total were identified in ICS-CERT advisories. There are distinct spikes from 2016 to 2017 (260 vs. 407) as well as from 2019 to 2020 (522 vs. 687). The largest year-to-year growth, however, was from 2020 to 2021 (687 to 1255), when the number of CVEs identified in ICS-CERT advisories nearly doubled.

We think that the spike in vulnerabilities identified in advisories from 2016 to 2017, going from 260 in 2016 to 407 in 2017, was this kind of organizational response to WannaCry ransomware-related incidents.

When the WannaCry ransomware was activated in May 2017, tens of thousands of systems that weren’t running the latest Microsoft security patches were immediately caught in its grip. Other forms of ransomware following in its footsteps were also based on the SMB protocol vulnerability EternalBlue, and attacks based on this vulnerability were devastating to work sites running legacy and EoS systems. After the havoc caused by WannaCry and its EternalBlue-based siblings in 2017, industrial control systems – which often use legacy and End-of-Service versions.

Figure 4. CVES Identified In 2021 ICS-CERT Advisories By Contributor

There is a spike of CVES identified in 2019-201. The spike, with 687 CVEs assigned in 2020 (15.5% of all vulnerabilities identified in advisories since 2010), is most likely related to the onset of the COVID-19 pandemic.

This could be because of two reasons. First, the pandemic led to the rapid spread and advancement of remote work technologies. A vast number of assets were extended into the internet more than ever. Secondly, researchers on lockdown had much more time to devote to research and attempting to acquire the resultant bounties.

Figure 5. ICS Cyber Threat Timeline Of 2021 By Month

In 2021, there were significant changes in the methods used by cyber attackers. More advanced destructive supply chain attacks also came to the surface this year. This has created an anxious environment, driving developments in cyber defense and the discovery of ICS-related CVEs.

2021’s timeline overview of major OT and ICS cyber incidents shows that modern criminal operations have become so developed that a service industry has emerged with a common business model – Ransom­ware-as-a-Service (RaaS).

Service operators providing RaaS maintain a customizable platform that they offer to users who want to carry out criminal projects. Known recently-active ransomware groups include Maze, Lockbit, REvil, and DarkSide, though their activity levels can vary.

The Colonial Pipeline and Kaseya Attacks

Around the middle of 2021, Revil and DarkSide got on the United States government’s bad side. The groups’ service was used to trigger two of the most severe ransomware attacks of the year—the Colonial Pipeline and Kaseya supply chain attacks.

The Colonial Pipeline incident, resulting in a US $4.4 payout to attackers, was conducted using DarkSide’s RaaS platform. The Kaseya attack was done using Revil’s service, taking advantage of zero-day authentication bypass” vulnerability, CVE-2021-30116.4. When the Revil group demanded their USD $70 million ransom they claimed to have infected over a million devices. After these two attacks both DarkSide and Revil went quiet, likely due to increased attention from government and law enforcement organizations, with Revil surfacing again in October of 2021.

However, we can expect continued development on RaaS, including new RaaS platforms that integrate functionality from the previous platform.

BlackMatter ransomware, for example, includes tools and techniques from the Darkside, Revil, and LockBit 2.0 ransomware families.6 Our researchers suspect but have not confirmed that BlackMatter is the DarkSide group resuming operations under a changed name.

Most recently, as of December 2021, Emotet and Conti both have resurfaced using advanced ex-ploitation of the Log4Shell vulnerability to accomplish their goals.

U.S. President Joe Biden’s May 2021 Executive Order, Improving the Nation’s Cybersecurity, specifically addressed the rise in supply chain attacks. With this Executive Order, the U.S. government began putting in place regulations designed to prevent such attacks, and one of the biggest changes among these was cre¬ating a mandate for Software Bills of Materials (SBOMs) to be provided for each related exchange. These SBOMs will likely be critical documents in the push to improve industrial cyber defense and prevent supply chain attacks.

In part two of the series, we’ll further discuss ICS vulnerabilities using MITRE ATT&CK. We’ll look into the sectors affected and their risk levels.


Featured News