ICS Risk & Vulnerability Report: Once again, more weak points in industrial plants and critical infrastructures (KRITIS) identified. Manufacturing, energy and water supply are the most vulnerable areas of critical infrastructure. Awareness of the security of industrial networks is growing.
In the second half of 2020, 71 percent of the vulnerabilities discovered in industrial control systems (ICS) could be remotely exploited. This is the result of the second half-yearly ICS Risk & Vulnerability Report from Claroty, the Industrial Cybersecurity Company. Compared to 2019, a quarter more ICS vulnerabilities were disclosed, compared to the first half of 2020, the increase was 33 percent. The report combines the discoveries made by the Claroty research team with trusted public sources such as the National Vulnerability Database (NVD), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT @ VDE, MITER, and industrial automation manufacturers Schneider Electric and Siemens.
Many vulnerabilities identified
In the second half of 2020, 449 vulnerabilities in ICS products from 59 vendors were discovered. Of these, 70 percent were rated with high or critical CVSS (Common Vulnerability Scoring System) scores. A good three quarters (76%) of these vulnerabilities can also be exploited without authentication.
"The accelerated convergence of IT and OT networks due to the digital transformation increases the efficiency of industrial processes, but also increases the attack surface," explains Amir Preminger, Vice President of Research at Claroty. “Government-sponsored attackers are obviously looking at many aspects of the network perimeter in order to exploit them, and cybercriminals are also focusing specifically on ICS processes. This is why the use of security technologies such as network-based detection and secure remote access is of the greatest importance in the industrial environment. At the same time, it is very encouraging to see that interest in industrial control systems is growing within the safety research community. We need to shed more light on these weak points in order to keep the threats at bay. "
More vulnerabilities in critical sectors
In the area of critical infrastructure (KRITIS), critical manufacturing, energy, water and wastewater as well as commercial facilities were particularly affected by the weaknesses that became known in the second half of 2020. These areas consistently show an increase compared to the two previous years:
- Critical Manufacturing: Increase of 15 percent compared to the second half of 2019 and two thirds more (66%) identified vulnerabilities than in the second half of 2018
- Energy: Plus eight percent compared to the second half of 2019 and 74 percent compared to the second half of 2018
- Water and sewage: Increase by more than half (54%) compared to the second half of 2019 and 63 percent compared to the second half of 2018
- Commercial facilities: 14 percent increase compared to the second half of 2019 and 140 percent compared to the second half of 2018
More on this at Claroty.com