Dive Brief:

• One-quarter (24%) of industrial control systems (ICS) vulnerabilities disclosed in H1 2021 were found in operations management (level three) of the Purdue Model, according to aggregated data from Claroty's Team82, the National Vulnerability Database (NVD), ICS-CERT, CERT@VDE, Siemens, Schneider Electric, and MITRE, published Wednesday. Researchers discovered about 15% of vulnerabilities each in the basic control (level one) and supervisory control (level two) stages.
• Almost all of the vulnerabilities in operations management (94%) would need user interaction, such as phishing or social engineering, for exploitation. Local attack vectors increased from 19% to 32% between H2 2020 and H2 2021, the report found. 
• Bad actors target level 3 because it has a lot of software components, which have routine vulnerabilities, Claroty said. When there are vulnerabilities in the lower levels of the Purdue Model, such as basic and supervisory control, "an attacker can also reach lower levels and affect the process itself, which makes them an attractive target," the report said.

Dive Insight:

Exploits in ICS and OT can range from impressive to entirely unsophisticated. However, a vulnerability's complexity becomes irrelevant if an exploit exists to sidestep security layers. 

"The question for operators is: 'What would you do if you assume every OT device has an unknown zero-day vulnerability?' Because if we keep looking, we'll keep finding more and more vulnerabilities which today are in ICS-CERT, but yesterday were zero-days," said John Livingston, CEO of Verve Industrial. 

Across 76 vendors, one-quarter of the 637 ICS vulnerabilities have either no remediation or an incomplete one, Team82 found. Firmware accounts for most, 62%, of the non-fixable vulnerabilities. 

Firmware typically requires complete upgrades while also "moving upstream" to cover endpoints controlling firmware devices. While network segmentation is useful, "the biggest way to protect these devices is to protect the management consoles," Livingston said. 

The basic control level consists of programmable logic controllers (PLCs) and remote terminal units (RTUs) used in field devices. Vulnerabilities in ICS and OT start at the workstation or server level in operating system-run devices, according to Livingston. Most attacks are remote so companies should first focus on the "Windows-type endpoints," he said. 

Public exploits give power to low-level and unsophisticated cybercriminals because any level of the Purdue Model can be threatened, according to Dragos. 

"It's important to remember that announced vulnerabilities are those that researchers discover and where vendors approve remediation steps. This does not mean that these are the areas that are potentially vulnerable," said Livingston. Applications in the operations management level of the Purdue Model, given the present software, are often easier to scan for vulnerabilities compared to firmware. 

Dragos found level two and three of the Purdue Model have the most exploits. Level three exploits are "of particular interest" because they give cybercriminals an access point into ICS networks, Dragos' report on a decade's worth of public ISC/OT exploits found. "The level three device could be as simple as an RDP jump box," while level two are more supervisory in industrial processes. 

Because operations management is where OT and IT tend to intersect via servers and databases, exploits reliant on user interaction is a common security shortcoming. When OT and IT merge, it's not for the sake of security but for convenience. 

"What we typically find from our assessments is that the largest risks to OT come less from these vulnerabilities and more from the insecurity of managing users and accounts," said Livingston.