ICS Vulnerabilities - Staying Vigilant!

As detailed in Kaspersky's "Threat landscape or industrial automation systems H2 2018", 20% of vulnerable ICS devices are being impacted by critical security issues. Over half of the 415 vulnerabilities found in industrial control systems (ICS) were assigned CVSS v.3.0 base scores over 7, which are designated to security issues that are considered high or critical risk levels.  This fact demands that asset stakeholders remain keenly vigilant of their IT/OP environments and their security posture.

To facilitate an understanding of security postures, cybersecurity risk assessments of industrial control systems (ICS) are recommended. Ideally, this understanding will help reduce risk and improve the security of ICS and their components. The primary goal of the cybersecurity assessments is to improve the security of the critical infrastructure by delivery of a report of all security problems found during the assessment along with associated recommendations for improving current levels of security.

ICSs are made up of process equipment, process control hardware, network devices, and computers. Vulnerabilities in network devices and protocols, the operating systems, ICS software, and other software running on the ICS computers could allow an attacker to gather information, disrupt, or manipulate ICS operations. Out of all vulnerabilities identified by Kaspersky, 46% could lead to remote code execution, as well as provide unauthorized control of the compromised ICS device or allow potential attackers to trigger a denial-of-service (DoS) condition rendering the equipment unusable. "Importantly, most vulnerabilities can be exploited remotely without authentication and exploiting them does not require the attacker to have any specialized knowledge or superior skills.

Common security problems that can arise from an ICS configuration are:

• unpatched operating system, application, and service vulnerabilities;
• failure to configure and implement applications and services securely (i.e., selecting security options and protecting credentials);
• changing all default passwords;
• setting password policies to require strong passwords;
• limiting user accounts, applications, and services to only the required permissions;
• installing or enabling security features correctly; and
• restricting unnecessary connections.

Today, widely available software applications and internet-enabled devices are integrated into most ICS, delivering many benefits, but also increasing system vulnerability. Sophisticated malware that specifically targets weaknesses in ICS is on the rise. ICS software mainly suffers from the lack of secure software design and coding practices. ICS network protocols and associated server applications are prone to “Man in the Middle Attack” data viewing and alteration as well as compromise through invalid input. This lack of security culture contributes to poor code quality, network protocol implementations that rely on weak authentication and allow information disclosure, and cause vulnerable custom ICS Web services.

ICS software generally uses third-party applications such as common web servers, remote access services, and encryption services. Many out-of-date and vulnerable third-party software applications and services are identified on new ICS versions; this indicates that the ICS vendor is not supporting third-party patch management for their software.

In order to reduce the risk of a damaging attack against an ICS, the likelihood of a high impact incident can be reduced by implementing as many perimeter protection and vulnerability reduction strategies as possible (aka defense-in depth). A mitigation strategy should not be chosen from a list of possible mitigations for a given identified or possible vulnerability, but rather as many mitigation techniques as reasonably possible should be employed to stand in as a line of defense and prevent access to vulnerable components and network traffic. The probability that an attack is able to defeat or circumvent security defenses is increasingly reduced as the number of security measures are implemented and gaps are filled in the line of protection formed by the other security features on the ICS.

Security should be designed and implemented by qualified security and ICS experts who can verify that the solutions are effective and can make sure that the solutions do not impair the system’s reliability and timing requirements. Given the nature of the vulnerabilities found in ICS, energy asset owners cannot always directly fix them. Thus, as these owners wait for vendor patches and fixes, the design and implementation of defense-in-depth becomes a security strategy that aid in protecting the ICS from attack and is part of an effective, proactive security program. Such a program is a necessity because attack strategies are constantly evolving to compensate for increased defense mechanisms.  The nature of this vulnerability requires energy stakeholders to be fully engaged with companies which can assess for them their vulnerabilities, develop a mitigation program to address the threats, and ensure that the assets owned and operated by the stakeholders can maintain continuity of operations.