3 minute read
Technology Forward
How safe are your controls systems from hacking?
Several recent reports, one from industrial cybersecurity firm, Claroty, one from SANS, and one from HP Inc., should raise some flags. The Claroty Biannual ICS Risk & Vulnerability Report noted that in the first half of this year, “637 vulnerabilities affecting industrial control system (ICS) products were published, affecting products from 76 vendors.” By comparison, reports for the latter half of 2020 list the number of vulnerabilities as 449, affecting 59 vendors. The SANS 2021 OT/ICS Cybersecurity Report says that cybersecurity threats remain high and are growing in severity. And the HP report, HP Wolf Security Rebellions & Rejections, covers the security risks posed by employees working from home (WFH).
More than 70% of the published vulnerabilities for 2021 are considered critical or given a high severity rating.
No digital device is safe from cybersecurity threats. Devices such as OPC servers; PLCs and RTUs; HMIs and SCADA systems, and the engineering workstation are most often listed as hacking points of entry. The largest percentage of vulnerabilities disclosed during the first half of 2021 affected Level 3 of the Purdue Model: Operations Management (23.55%), followed by the Level 1: Basic Control (15.23%) and Level 2: Supervisory Control (14.76%), states the report by Claroty.
Most of the vulnerabilities were reported by third-party security firms, independent experts, and academics, not by vendors. Adding to the vulnerabilities, the HP report notes that IT teams have been forced into compromising security for business continuity, and that their attempts to increase or update security measures for remote workers have often been rejected.
At least 61.38% of the disclosed vulnerabilities can be exploited in attacks from outside the IT or OT network, says Claroty. On the bright side, this number is lower than the percentage reported in the second half of 2020 when it was 71.49%. But local attacks rose to 31.55% in the second half of 2020; previously it was 18.93%.
Experts suggest the need for phishing and spam prevention, along with awareness techniques that help reduce ransomware and other potentially devastating attacks. Of course, they advise regular updates for all industrial control system software as one of the better protections against hacking. They also note that visibility and detection solutions are readily available to provide an awareness of hacking, but that many companies are not taking advantage of these tools. The SANS report notes that nearly half of this year’s survey respondents don’t know if they’ve been attacked.
Here are a few more statistics: • 25.59% of the 637 ICS vulnerabilities have no fix or only a partial remediation. • Of the vulnerabilities with no, or partial remediation, 61.96% were found in firmware. • Of the vulnerabilities with no, or partial, remediation, 55.21% could result in remote code execution, and • 47.85% could result in denial-ofservice conditions when exploited successfully. • 76% of IT teams admit security took a backseat to business continuity during the pandemic, while 91% felt pressure to compromise security for business continuity. • Almost half (48%) of younger office workers (18-24 years old) surveyed viewed security tools as a hindrance, leading to nearly a third (31%) trying to bypass corporate security policies to get their work done. • Of the 74.4% vulnerabilities with remediation, 59.49% require software fixes. • 51.22% of the vulnerabilities affecting end-of-life products were found in firmware. • 83% of IT teams believe the increase in home workers has created a
“ticking time bomb” for a corporate network breach.
Experts continue to warn of ransomware and extortion attacks, such as the one that happened recently to Colonial Pipeline. The consensus among experts is that there will be more such attacks. What additional evidence is needed before we all see that securing data is everyone’s business? DW
Leslie Langnau llangnau@wtwhmedia.com
