In part one, we discussed ICS-CERT advisories from 2010 to 2021. Using MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for ICS, determined the number of identified CVEs that affect the ICS environment.
For this blog entry, we look into the sectors affected, especially during 2021:
The chart shows that 59.8% of 2021’s ICS-related vulnerabilities are critical or high-risk, with 14.94% critical and 45.64% high risk. These are vulnerabilities which are easily exploited by attackers to impact operations.
This chart shows vulnerabilities each year from 2017 to 2021 as classified by sector in ICS-CERT advisories. Numbers represent how many vulnerabilities in advisories each year affect each listed sector. The huge spike in vulnerabilities affecting Critical Manufacturing stands out among all other sectors.
One of the key factors that contribute to the protection of industry sectors is when researchers take a particular interest in them, usually due to opportunities to gain money or fame such as threat bounties. The first totally ICS-focused hacking contest, the Zero Day Initiative’s Pwn2Own Miami, was started in January of 2020. Hacking contests are won by contestants who expose and exploit the most vulnerabilities, and this was the first such contest to focus entirely on industrial assets like HMIs and control servers.
While Critical Manufacturing is well in the lead, we also observed a spike in CVEs identified in 2021 ICS-CERT advisories which affect multiple sectors. We think that attackers and researchers may take more interest in these kinds of vulnerabilities in 2022 or 2023 because they can be used to affect multiple sectors at the same time. By taking advantage of just one vulnerability in this group an attacker can more conveniently disrupt different kinds of worksites in different sectors.
A Closer Look at Critical Manufacturing
We used the MITRE ATT&CK for ICS Matrix because it gives an overview of tactics with techniques classified under tactics they can be used to accomplish. In the MITRE ATT&CK system, ‘tactics’ “are the adversary’s technical goals (as enumerating every attackers’ high-level goal wouldn’t be possible) and objectives they hope to achieve with an attack technique.” ‘Techniques’, then, are the specific methods that hackers use to accomplish tactics.
This chart shows CVEs affecting Critical Manufacturing that was identified in 2021 advisories which might be used to accomplish tactics from the MITRE ATT&CK framework ease of reading. Names and definitions of tactics are directly referenced from the MITRE ATT&CK framework.
Six hundred and thirteen CVEs identified in advisories in 2021 are likely to affect Critical Manufacturing environments, 88.8% of them might be leveraged by attackers to create an Impact (to directly or indirectly cause varying degrees of disruption to ICS equipment and the environment).
For ICS environments, Impact is a critical concern that includes damage or disruption to finances, safety, human lives, the environment, and equipment. If we compare Impact on operational technology (OT) with Impact on information technology (IT), potential Impact from an IT incident is not nearly so broad and is more limited to how the attackers can affect data.
Sixty-four point four percent of those 613 CVEs can be exploited to accomplish Initial Access. This underscores that getting the door open is a major point of interest and surprisingly easy to accomplish in unsecured systems.
Additionally, vulnerabilities that can be exploited to Inhibit Response Function are quite common at 81.9%. Techniques for accomplishing this include disrupting functionalities related to safety, protection, quality control, and operator intervention. This is one commonly found way attackers can leverage a single point of failure to cause serious damage or break the whole system.
Eighty-eight point eight percent uses Impact, which can be accomplished with Critical Manufacturing-affecting CVEs identified in 2021 advisories.
it’s important to note that when IT is under attack, OT will also take collateral damage. In the Colonial Pipeline incident, their IT infrastructure was attacked by the DarkSide ransomware. Collateral damage forced them to shut down their entire pipeline operation, and the effects on their operational technology began in their IT system.
For ICS operations, Impact can have far-reaching “ripple” effects that spread outward from the point of incident.
In part three, our series wrap-up, we’ll continue to dig deeper and evaluate CVEs that affect critical manufacturing based on MITRE’s matrix. We’ll also explore common ICS-affecting vulnerabilities identified in 2021.