Operational technology (OT) is facing increased scrutiny from the security research community—as well as from threat actors—in a race to find and fix vulnerabilities before they're exploited, and the safety and reliability of critical systems is put to the test.
To that end, I'm excited to share that the Claroty Research Team recently concluded an in-depth analysis of industrial control system (ICS) vulnerabilities disclosed and patched during the first half of the year. The results identify some trends of note to OT security practitioners and technology providers, and provide context to the risks faced by OT networks. They were published today in the inaugural Claroty Biannual ICS Risk & Vulnerability Report.
As a member of the Claroty Research Team and primary author of this report, I recognize the considerable challenges posed by ICS vulnerabilities and am proud to have supported research that aims to further illuminate these challenges and their implications for practitioners, vendors, and other researchers.
"There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible," said Amir Preminger, VP of Research at Claroty, who also contributed to the report.
The dataset making up our research included the 365 vulnerabilities in ICS products sold by 53 vendors published during the first half of the year by the National Vulnerability Database (NVD). We also examined 139 advisories published by the Industrial Control System Computer Emergency Response Team (ICS-CERT). More than 70% of those flaws are exploitable remotely over the network, reinforcing the notion that air-gapped OT networks are uncommon and these networks are no longer isolated from cybersecurity threats.
Compounding the risk posed by remotely exploitable vulnerabilities is the rapidly rising number of remote workers. OT operators have not been spared this phenomenon during the COVID-19 pandemic, and are connecting remotely to ICS networks at an unprecedented rate. This dynamic, in parallel with the rise in remotely exploitable bugs, should enhance the focus on OT vulnerabilities.
Our team this year, meanwhile, has disclosed 26 vulnerabilities that have been patched by vendors, largely those with massive install bases and that are important providers within industrial operations. Security flaws in engineering workstations and programmable logic controllers (PLCs) make up the majority of vulnerable product types that we discovered. Not only are engineering workstations and PLCs critical to industrial operations, but they are also appealing targets for adversaries.
Engineering workstations, for example, often connect to IT networks, and a successful exploit against vulnerable workstations give attackers an initial network foothold. PLCs, meanwhile, largely control physical processes within OT networks, and attacks against those units can affect the reliability of plant processes, for example.
Among the 26 vulnerabilities found by Claroty, more than 60% enable remote code execution against OT networks. Others allow for denial-of-service attacks, or power-over-ethernet attacks.
In all, there was a 10.3% year-over-year increase in vulnerabilities published by the NVD during the first half of the year compared to 2019; three-quarters of these vulnerabilities were assigned critical or high-severity ratings. There was also a 32.4% increase in the number of ICS-CERT advisories published so far this year compared to last year; third-party researchers accounted for more than 71% of ICS-CERT advisories attesting to their critical role in vetting ICS device security.
Today's report also enumerates the ICS vendors and products mentioned in NVD and ICS-CERT advisories, and breaks them down by critical industry and the impact of the respective vulnerabilities on each industry.
Claroty's Chief Product Officer, Grant Geyer, will also be providing a deeper look at the report's findings during a live webinar and Q&A session on August 27th. Register Here.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
