Key Takeaways from Published 2020 ICS Vulnerabilities

  • Consume/exhaust a device’s or software’s available resources and require a restart.
  • Create unsafe conditions where a device is unable to respond deterministically.
  • Generate a HALT or a STOP condition due to unexpected communications or commands.
  • And potentially be used to compromise the system or application via remote code exploit (RCE).
  • 5% of ICS CERT advisories affected multiple products, and 99% affected multiple versions.
  • 9% of CVEs from all ICS CERT advisories were generated alone from supply chain vulnerabilities or third-party dependencies.
  • And this is just the tip of the iceberg…

It can seem overwhelming to ICS security teams or OT engineers responsible for keeping track of all of this.

  1. Keeping track of vulnerabilities is overwhelming — in the face of nearly constant advisories, the threat of ransomware, breaches, and a continuous flood of CVEs.
  2. Expectations and actions upon the data are unclear — it’s great to be informed of risks, but how should anyone prioritize remediations? No workaround is mentioned, what should an organization do? What is a buffer overflow vs. an underflow vs. resource exhaustion? These are common questions.
  3. What you don’t know can hurt you –given the rate of growth and supply chain risks, what else is lurking under the covers of these ICS devices?

So what can you do? We recommend several actions:

  1. Ensure you have a robust inventory not only of OS-based devices and their versions but also all of the underlying application software as well as all of your embedded devices with their corresponding firmware. These risks make up over two-thirds of the total vulnerabilities in the OT environment
  2. Centralize the tracking of the risk. One of the most challenging parts of these OT vulnerabilities is that they often don’t all make it into a standard database. Many vendors are providing advisories that are not included in the ICS-CERT database privately to their customers. Many supply chain advisories don’t necessarily tie back to a specific OT firmware. Embedded OT devices can be spread across dozens or hundreds of locations. A centralized database and analysis capability is critical to managing these risks efficiently.
  3. Assign a centralized resource to get up to speed on ICS vulnerability management. Our “Ultimate Guide to Reading ICS Cyber Security Advisories Like a Pro” is a helpful starting point. This doesn’t necessarily require years of experience, but distributing the analysis across lots of plants or engineers is very difficult. Centralizing this and enabling a small group of people to become experts at reading these and drawing implications for OT is key to efficiently managing these risks.
  4. Aggressively pursue compensating controls. We often hear that patching is just not feasible in OT. The reality is true in some cases, but in many cases, there are feasible means to patch effectively to address the most severe risks. Automated tools can help with the labor challenges of doing so. But, we do understand that updating firmware on all the embedded devices can be challenging or impossible. Operators can take a range of compensating controls to address the risks at least partially. We provide a robust list in our longer whitepaper. But in short, apply robust patch management on the HMI/Server layer combined with improved configuration management and user/account management of the OS and embedded devices and strong network protection can provide a range of benefits that can deliver greater security until the upgrade cycle can deliver the updates necessary.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Verve Industrial Protection

Verve Industrial Protection

Verve's mission is to protect the world's critical infrastructure. Learn more at verveindustrial.com