ALPS blog

An In-Depth Look at ICS Vulnerabilities Part 3

Part two of the series explored the sectors affected by CVEs identified, especially during 2021. We found that the critical manufacturing sector is the most affected.

In this final entry, we further explore CVEs that affect critical manufacturing. We also discuss common ICS-affecting vulnerabilities identified in 2021.

Figure 1. CVEs Affecting Critical Manufacturing by MITRE Impact

This chart shows what percentages of CVEs affecting Critical Manufacturing can potentially be used by attack¬ers to cause these Impacts. Descriptions of techniques that can be used to accomplish Impact are referenced from MITRE ATT&CK for ICS.

Fifty-nine percent of Critical Manufacturing was affected through Damage of Property, when attackers attempt to damage or destroy “property, infrastructure, equipment, or the surrounding environment. Meanwhile, 63.4% experienced denial of control, when attackers “temporarily prevent operators and engineers from interacting with process controls”.

Additionally, Loss of Availability and Loss of Control affected 58.3% and 33.4%, respectively. Fifty-nine percent also experienced Loss of Productivity and Revenue, while 2.3% were affected by Loss of Protection.

Loss of Safety affected 0.5%, this is when attackers attempt to “compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur”.

Lastly, 54.7% experienced Loss of View, when attackers attempt to “cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention.

Denial of View (75.4%) s by far the most accessible impact for attackers targeting critical manufacturing. This is because all that is necessary to accomplish this is interfering with communication between devices, denying service on the HMI side, or disrupting SCADA.

Figure 2. CVEs Affecting Critical Manufacturing by Initial Access

Internet-accessible devices and transient cyber assets are tied for the majority of Initial Access point with both at 41.7%.

Exploiting public-facing applications comes in at 12.8%. This is when attackers use internet-facing software, such as HMI or SCADA web applications, network services, or asset operating systems as the starting point for their attack.

Moreover, Wireless compromises (3%), remote services (.6%), and exploitation of remote services (.2%) came in the lowest. This should not be taken as an indication that related attack surfaces do not need to be secured.


Figure 3. CVEs Affecting Critical Manufacturing by Timeline Gap Between Publishing by ICS-CERT and NVD

This chart shows the time gap for 2021 CVEs affecting Critical Manufacturing being published on ICS-CERT and being published on the National Vulnerability Database (NVD).

Eleven point four percent of affecting Critical Manufacturing took more than 3 months to be published on NVD after listing on ICS-CERT. Additionally, 11.1% took over a year. However, it’s important to note that the status of 20.2% of CVEs affecting Critical Manufacturing is unclear – while they have been posted on ICS-CERT, it’s not yet known if NVD has received any information on them yet or when such information might be released by NVD.

Sharing information can take varying amounts of time because there are many groups authorized to assign CVE IDs to vulnerabilities and publish CVE records.

In the prevention of supply chain attacks, the information provided by NVD is critical. By comparing CPE infor¬mation provided by NVD to an SBOM, cyber defenders can rapidly identify products that are potentially at risk. Delays or disclarity in this system can create more hurdles for cybersecurity specialists to cross to defend ICS environments.

Figure 4. Critical Manufacturing Assets Organized by Purdue Level and Severity of Related CVEs

Within Critical Manufacturing-affecting CVEs, the most-affected assets are engineering workstations, network devices, and management servers.

Engineering workstations are usually high-end, very reliable computing platforms designed for configuration, maintenance, and diagnostics of control system applications and equipment.

The network device category includes routers and switches, which are deployed at all levels of the Purdue model. In particular, misconfigured devices may become a point for attackers to gain access into any level of the industrial environment.

Management servers are usually highly centralized assets where a lot of information and computation are handled.

Figure 5. All ICS-Affecting CVEs for 2021 Ranked by Related Common Weakness Enumeration (CWE) Classification

The items on this chart are showing what percentages of ICS-affecting vulnerabilities identified by 2021 advisories are caused by what kind of weaknesses – “flaws, faults, bugs, or other errors” – in coding.

Nine percent was caused by CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer, while CWE-787 Out-of-Bounds Write affected 8.3%.

Additionally, 6.7% was caused by CWE-20 Improper Input Validation and 4.8% was due to CWE-79 Improper Neutralization of Input During Web Page Generation.

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor affected 4.7%. CWE-125 Out-of-Bounds Read also affected 4.7%, while other weaknesses amounted to 61.9%

These CWE statistics show that many ICS vulnerabilities are related to or result from insecure coding. This reflects that vendors or programmers are not comprehensively checking their code before its release, and this will represent a challenge going forward.

From the development side, the steadily climbing and sometimes rapidly increasing numbers of vulnerabilities and the pattern of weakness prevalence from year to year suggest to our researchers that trends in developer security have not changed much over time.

Our analysis of CVEs identified in ICS-CERT advisories as affecting ICS environments shows that larger and larger numbers of these vulnerabilities are discovered every year.

The fast-increasing number of vulnerabilities that can be used to attack work sites has created challenges for the current methods of tracking and addressing emergent vulnerabilities. This is further complicated by issues such as the unpredictable timeline for information availability – organizations cannot rely on vendors, researchers, or anyone organization to keep work environments safe from threats.

Cybercriminals can cause major damage and loss by compromising ICS operations. This can lead to shutdowns, equipment damage, and health and safety risks. ICS attacks can also result in loss of financial assets, reputation, intellectual property, and competitive advantage.

With Trend Micro, you have visibility into threats affecting ICS/OT through IT and CT, plus enhanced detection and response.

To learn more about our ICS cybersecurity solutions, click here.


Featured News