70 percent of ICS vulnerabilities can be exploited remotely
A new Biannual ICS Risk and Vulnerability Report, released today by , reveals that more than 70 percent of industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely.
Earlier this week we looked at how even if they're air-gapped, but this report highlights the importance of protecting internet-facing ICS devices and remote access connections.
The most common potential impact is remote code execution (RCE), possible with 49 percent of vulnerabilities -- reflecting its prominence as the leading area of focus within the OT security research community -- followed by the ability to read application data (41 percent), cause denial of service (39 percent), and bypass protection mechanisms (37 percent). The prominence of remote exploitation has been boosted by the rapid global shift to a remote workforce and the increased reliance on remote access to ICS networks in response to the COVID-19 pandemic.
Amir Preminger, VP of research at Claroty says:
Industrial control systems, which are used to run the majority of the world's critical infrastructure, were originally built for a very different world with different priorities. They weren't connected to the internet and therefore weren't designed to be patched or updated. Nevertheless, today we have a totally different story. With digitalisation, ICS are rapidly being connected to modern IT networks, exposing them to all the risks the IT world faces but often without the same focus on cyber security.
Downtime in critical infrastructure can be catastrophic and even has the potential to lead to loss of human life, so if a threat actor wanted to cause real damage, ICS networks are a valuable target.
The energy, critical manufacturing, and water and wastewater infrastructure sectors were by far the most impacted by vulnerabilities published in ICS-CERT advisories during the first half of 2020. Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water & wastewater had 171.
"If not properly protected, internet-facing ICS devices can provide a pathway into OT networks and the vital industrial processes they underpin," adds Preminger. "Adversaries have multiple open-source, legitimate, internet-scanning services -- such as Shodan.io and Censys.io -- at their disposal to help them identify web-based human machine interfaces (HMIs) and other ICS devices. In many cases, these devices are not password-protected, granting adversaries immediate, unfettered access."
You can get the full report, including tips on keeping ICS systems secure, from the .