Dragos ICS/OT Cybersecurity Year in Review 2022 report covers state-sponsored attacks, ransomware, and vulnerabilities.
The post 2022 ICS Attacks: Fewer-Than-Expected on US Energy Sector, But Ransomware Surged appeared first on SecurityWeek.
The number of vulnerabilities discovered in industrial control systems (ICS) continues to increase, and many of them have a ‘critical’ or ‘high’ severity rating, according to a new report from industrial cybersecurity firm SynSaber.
The report compares the number of ICS and ICS medical advisories published by CISA between 2020 and 2022. While the number of advisories was roughly the same in 2021 and 2022, at 350, the number of vulnerabilities discovered last year reached 1,342, compared to 1,191 in the previous year.
The number of vulnerabilities rated ‘critical’ has increased even more significantly, from 186 in 2021 to nearly 300 in 2022. In total, nearly 1,000 vulnerabilities are ‘critical’ or ‘high severity’ based on their CVSS score.
While CVSS scores can be misleading in the case of ICS flaws and they should not be used on their own for patching prioritization, these scores can still be useful for ranking issues that meet an organization’s applicability criteria.
Synsaber’s report shows that Siemens stands out when it comes to ICS vulnerability volume. Not only do many of the security holes discovered in 2022 impact Siemens products, the German industrial giant is also responsible for self-reporting the highest number of vulnerabilities, far more than other vendors.
Siemens’ product security team reported 544 vulnerabilities in 2022, up from 230 in the previous year. The second vendor is Hitachi, with 64 bugs.
“The team at Siemens product security continues to increase its reporting cadence with significant year-over-year growth of nearly 3x. While this does inflate the number of known CVEs that affect Siemens product lines compared to others, this should not be viewed as Siemens products being less secure. On the contrary, a mature and repeatable OEM self-reporting process is something all other OEMs should strive to achieve,” SynSaber noted.
Siemens typically addresses dozens of vulnerabilities every month, but many affect third-party components used by the company’s products.
While the number of vulnerabilities discovered last year is high, nearly one-third require user interaction for successful exploitation and roughly one-quarter require local or physical access to the targeted system. It’s worth noting, however, that the percentage of flaws requiring user interaction and local access has decreased compared to 2021.
Looking at the data for the past three years, one worrying aspect is that the number of ‘forever-day vulnerabilities’ — these are flaws that will likely never get patches — increased to 28% in 2022, up from 14% in 2021.
ICS vulnerabilities can impact software, firmware or protocols. The percentage of issues found in each of these categories has been fairly constant in 2020-2022, with software accounting for 56%, firmware for 36% and protocols for 8%, on average over the three years.
Related: 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider
Related: SynSaber Launches Palm-Sized Threat Sensor for OT Environments
The post Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022: Report appeared first on SecurityWeek.
The Siemens Automation License Manager is affected by two serious vulnerabilities that could be chained to hack industrial control systems (ICS), according to industrial cybersecurity firm Otorio.
On January 10, Siemens released its first round of Patch Tuesday updates for 2023, addressing a total of 20 vulnerabilities affecting the company’s products.
One of the six advisories published at the time describes two high-severity security holes discovered by a researcher from Otorio in the Siemens Automation License Manager (ALM), which is designed for centrally managing license keys for Siemens software.
One of the flaws, tracked as CVE-2022-43513, can allow a remote, unauthenticated attacker to rename and move license files as a System user.
The second issue, CVE-2022-43514, allows a remote, unauthenticated attacker to execute operations on files outside the specified root folder. Chaining the two vulnerabilities can lead to remote code execution, Siemens said.
In a blog post published on Tuesday, Otorio explained that most of Siemens’ software products use the ALM by default for license management. This means the vulnerabilities impact organizations that use one of many Siemens products, including the Simatic PCS 7 historian, the Sicam Device Manager, WinCC, TIA Portal, and the DIGSI engineering tool.
According to Otorio, an attacker who has gained access to the targeted organization’s operational technology (OT) network, even with limited permissions, could exploit the vulnerabilities to fully compromise the OT network.
“For example, the PCS 7 Historian, which is used as a repository for industrial process data, can be used as a ‘bridge’ for an attacker to propagate from the corporate network into the OT network. Once an attacker breaches the Historian server, one can potentially gain access to engineering, control, and monitoring systems,” explained Eran Jacob, research team leader at Otorio.
“An attack could take place not only from the enterprise network. For example, any compromised station with minimal privileges in the network, such as a thin client computer that has access to one of the Siemens servers, could lead to a full compromise of the network,” Jacob added.
Siemens has released an update that should fix the flaws in ALM 6, but the company currently does not plan on releasing a patch for version 5. Workarounds and mitigations are also available.
Related: Cybersecurity Experts Cast Doubt on Hackers’ ICS Ransomware Claims
Related: InHand Industrial Router Vulnerabilities Expose Internal OT Networks to Attacks
Related: Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs
The post Siemens License Manager Vulnerabilities Allow ICS Hacking appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.
There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.
One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.
“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.”
For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”
Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”
Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”
| Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.  October 23-26, 2023 | Atlanta www.icscybersecurityconference.com |
“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”
He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”
Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.
We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023.
Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”
One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”
Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.
“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement.
“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”
The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.
Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”
Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.
“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”
Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”
Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.
Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”
He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.
Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said.
“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development.
Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”
By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”
Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”
“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.
“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.
Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added.
This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.
According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”
Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”
Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”
He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”
Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”
As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”
Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”
This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”
He adds, “2023 needs to be the year to reset ICS and OT standards for security.”
| Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com |
Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.
“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.
“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.
But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
Related: ICS Vendors Respond to Log4j Vulnerabilities
Related: U.S. Warns ICS/SCADA Malware Can Damage Critical Infrastructure
Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware
The post Cyber Insights 2023: ICS and Operational Technology appeared first on SecurityWeek.
Industrial cybersecurity firm Otorio has released an open source tool designed to help organizations detect and address issues related to an upcoming update from Microsoft.
Otorio’s DCOM Hardening Toolkit, which is available for free on GitHub, is a PowerShell script that lists weak DCOM authentication applications installed on the tested workstation and provides functionality to address associated security issues.
The tool is useful for organizations that use the OPC Data Access (DA) protocol for communications between PLCs and software within OT networks. OPC DA relies on Microsoft’s Distributed Component Object Model (DCOM) technology, which can introduce serious vulnerabilities.
The newer OPC Unified Architecture (UA) protocol does not rely on DCOM so it’s not affected by the same security issues, but many industrial organizations still rely on OPC DA.
The problems that the Otorio tool aims to address are related to some changes that Microsoft has been making.
In 2021, Microsoft informed customers about CVE-2021-26414, a Windows server security feature bypass flaw. Addressing CVE-2021-26414 requires hardening DCOM, which could cause problems for some organizations using it and that is why Microsoft is gradually implementing changes. The goal is to give users enough time to check and resolve any compatibility issues.
The first updates were released by Microsoft in June 2021, with the DCOM hardening disabled by default. The second updates, released in June 2022, enabled the hardening by default, but allowed users to disable the changes manually.
The last updates, scheduled for March 2023, will keep the hardening enabled and users will not be able to disable it.
Otorio’s DCOM Hardening Toolkit can be used to learn whether an OT network includes unsecured DCOM that will become inoperable after the new update is rolled out in March, and it also provides remediation instructions.
“If a company applies the March patch and loses critical visibility and communication between nodes in its network, it could experience significant financial losses. Our goal is to prevent that kind of catastrophe,” said Yair Attar, CTO and co-founder of Otorio.
Otorio has also implemented the open source tool’s capabilities in its RAM² cybersecurity and digital risk management platform for OT.
Related: New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources
Related: Open Source Tool Helps Organizations Secure GE CIMPLICITY HMI/SCADA Systems
Related: Open Source Tool Helps Secure Siemens PCS 7 Control Systems
The post New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch appeared first on SecurityWeek.
Privacy Settings
This website uses cookies to improve your experience while you navigate through the website.
