The number of industrial control system (ICS) vulnerabilities disclosed in 2020 increased nearly 25 percent compared to 2019, due largely to the heightened awareness of the risks posed by ICS vulnerabilities and increased focus from researchers and vendors on identifying and remediating the code flaws.
A new research report released Thursday by Claroty said that vendors and industrial organizations must come to grips with these trends and act upon bug reports because the attacks and vulnerabilities will not abate.
Vulnerabilities in ICS products disclosed during the second half of 2020 are most prevalent in the manufacturing, energy, water and wastewater, and commercial facilities industries – all of which are designated as critical infrastructure sectors.
Claroty recorded 449 vulnerabilities that were disclosed and fixed during the second half of last year alone. Coupled with the 365 it reported for the 1H 2020, we’re closing in on nearly 1,000 annual vulnerabilities – a threshold the industry will likely eclipse this year.
Here are some of the highlights of this year’s report:
- 71.5 percent of the vulnerabilities are exploited through a network attack vector (i.e. remotely exploitable).
- 90 percent don’t require special conditions to exploit, and an attacker can expect repeatable success every time.
- In 76.4 percent of the cases, the attackers are unauthenticated prior to attack and don’t require any access or privileges to the target’s settings or files.
- If exploited successfully, 66 percent of the vulnerabilities can cause total loss of availability.
Right now, many of the vulnerabilities that were disclosed in 2H 2020 were confined to leading vendors such as Schneider Electric, Siemens, and Mitsubishi. They have an abundance of equipment running inside industrial companies available for analysis, and because they’re market leaders, receive an abundance of attention from researchers and black hats alike.
Claroty compared this to the early days of IT security when Microsoft was under constant pressure from customers and security companies to lock down its products and install a secure development lifecycle. Windows was — and remains — the dominant desktop operating system, which created relentless attacks by threat actors then numerous discoveries of vulnerabilities by researchers, resulting ultimately in Patch Tuesday in October 2003. Other tech giants, such as Adobe, Apple and Oracle followed that model and over the years instituted their own regular cycle for security updates.