Preview:

2021 was a difficult year for everyone – political tensions were high in the East, the COVID-19 pandemic was in full swing, and with everyone homebound, the number of attacks increased considerably on both OT and traditional IT sectors.

During that tumultuous year, and with time on their hands, threat actors pounced on the opportunity to make money as they realized a high number of laptops were deployed outside regular working environments (with people using work laptops for personal activities at home), lower security in a lot of sites, and financial difficulties for a lot of employees (which leads to internal threats).

In 2021, ICS-CERT issued 354 cyber security advisories available for public consumption on CISA’s website (Cybersecurity & Infrastructure Security Agency). Verve analyzed these advisories without any discrimination –  no advisory was rejected based on geography, size of the company, domain of operations, vendor, etc. The only advisories that were not included in the analysis were those related to medical devices (ICSMA). This report summarizes the conclusions, the observed trends, as well as a perspective on what 2022 might hold.

---------
ICS-CERT released 354 ICS-related advisories spanning 82 vendors/OEMs, 
1,198 CVEs containing references to different products, and a matrix 
of affected versions.
---------

ICS-CERT advisories increased by ~30% since 2020 with the number of CVEs growing by ~41%. This compares to a growth of ~23% advisories and ~32% CVEs in 2020 over 2019 in these same categories. These advisories have been split between OEM application software (51%), embedded device vulnerabilities (39%) or embedded software vulnerabilities (10%).

--------- 
The OEMs/companies most affected by the ICS advisories have remained consistent 
since 2020, with Siemens being the OEM with the highest number of advisories 
to its name. 
---------

Many of the risks created by those vulnerabilities are considered High or Critical by NIST’s National Vulnerability Database (NVD), with a doubling of those scored with a CVSS of 8/10 or higher since 2020.

These High and Critical vulnerabilities are generally fairly easy to exploit (67% are exploitable remotely and 75% have a low attack complexity), and with networks becoming more and more connected, the risk of lateral movement and privilege escalation is more important than ever.

The following trends are observed:

  • Most of the vulnerabilities could be used to impact the critical manufacturing sector (59%)
  • Almost half of all the reported vulnerabilities could impact more than one sector (48%)
  • There is a decrease in the number of vulnerabilities affecting multiple products compared to 2020 (-20%), but still 137 advisories in 2021 that can affect multiple products
  • Most of the Vulnerabilities have been identified for companies headquartered in 7 specific countries (92%)
    • This includes Germany, which can easily be explained by the fact that Siemens is headquartered there

In 2021, just like in 2020, Siemens had the largest number of advisories. In 2021, 36% of alerts were related to Siemens against 31% in 2020. The high number of advisories doesn’t mean that Siemens is less secure than their competitors, but instead that a lot of research and threat hunting has taken place for Siemens products and solutions. It shows that Siemens might actually have a relatively mature risk and vulnerability management program, and if Siemens mitigates those vulnerabilities, create patches, and helps their clients secure their products, they will be the most secure of the OEMs.

Finally, even if those vulnerabilities are important and operators, engineers, and asset owners shouldn’t take them lightly, there are still several of them that contained mistakes or issues. Of the 354 ICS advisories in 2021, 27% had issues with Vendor CPE (Common Platform Enumeration).