2022 ICS Advisory Year in Review

Last week Verve released its annual review of the ICS Advisories. You can find the complete report here. 2022 was another year of increase in the number of ICS Advisories released by CISA. It also was the year that the ICS-CERT faded into the history books as the distributor of the advisories, replaced by the CISA brand.

Why dive into the ICS Advisories? ICS Advisories provide public awareness of vulnerabilities and risks to software and hardware that comprise industrial control systems. The United States Critical Infrastructure and Cyber Security Administration (CISA) reviews and approves these notices. They provide operators with important context about the risks to systems and potential remediation or mitigation steps to reduce or eliminate those risks. By reviewing them and following their recommendations, operators can improve their chances of defending against attacks on their most critical infrastructure.

As providers of vulnerability management software and services, analyzing the advisories in detail allows us to support our clients in identifying, prioritizing, and remediating or mitigating the risks disclosed therein. As operators, analysis of the advisories supports the development of appropriate security strategies for their environments based on real-world risks.

Before we summarize the findings from analyzing all of the advisories, it is important to recognize that there are some consistent recommendations on how to address these risks, which all industrial operators can follow. And some of these fundamentals are critical to effectively leverage these advisories.

First, a key requirement to effectively using the ICS Advisories is having a comprehensive and accurate asset inventory of all firmware versions of all embedded devices as well as full application software inventories on HMIs, servers, workstations, etc. Verve has been deploying the Verve Security Center for fifteen years across different OEM brands and industrial environments. This endpoint solution gathers this necessary detailed inventory – through backplanes of PLCs, down to serially connected firmware versions, full application inventories on HMIs, workstations, etc. This is fundamental to effective ICS advisory vulnerability management.

Second, CISA has a set of common OT security fundamentals, as shown in their graphic below.

These eight foundational elements grow out of the threats that CISA observes every day within the world’s critical infrastructure. They cover networking, endpoint, physical security, etc. As we review the ICS advisory mitigation recommendations, they tend to repeat these core recommendations. See below for the recommendations on the Industroyer2 malware seen in Ukraine in 2022

• Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
• Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
• Ensure OPC UA security is correctly configured with application authentication enabled and explicit trust lists.
• Ensure the OPC UA certificate private keys and user passwords are stored securely.
• Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure the validity of those backups.
• Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
• Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
• Implement robust log collection and retention from ICS/SCADA systems and management subnets.
• Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP)
• Ensure all applications are only installed when necessary for operation.
• Enforce the principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
• Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
• Monitor systems for loading of unusual drivers, especially for ASRock drivers, if no ASRock driver is normally used on the system.

As you can see, many of these recommendations are part of the components of CISA’s core recommendations.

Third, while the number of advisories is growing every year, in our experience doing hundreds of site-level technology-enabled assessments, the VAST majority of vulnerabilities are actually in the Operating Systems and traditional IT applications sitting on the Windows, Unix and Linux servers, workstations, HMIs, etc. “Branded ICS vulnerabilities” such as OT:ICEFALL, Pipedream/Industroyer2, etc., are certainly important. However, these can distract from where the real weight of the risk is, i.e., in those unmanaged OS-based devices. Organizations need to avoid the “whack-a-mole” of chasing the biggest press release and keep an eye on continuously improving the core fundamentals.

The reason for highlighting these core elements is that regardless of whether your environments contain the specific devices or software covered by these advisories, there are a set of consistent recommendations for how to secure OT environments.

Now as we dive down into the individual ICS advisories, the following are some of the key findings from the 2022 review.

• There were 370 new advisories in 2022 which is a slight increase from the 354 released in 2021, a much smaller percentage increase compared to the 40% increase from ’20 to ‘21
• Siemens again had by far the most released vulnerabilities, although over 50% were reported by a 3rd party researcher rather than the OEM itself
• 90% of the CVEs are low attack complexity, and three-quarters are remotely accessible
• Very few of these have a known exploit available
• Many of the advisories don’t have patches available for remediation and will require those mitigating controls highlighted above.

The reality is that the number of ICS advisories is going to increase year after year as more researchers dive into these products that were not designed with security in mind. One could argue that there are “zero-day” flaws in most legacy devices. The researchers are regularly uncovering those which is helping raise awareness of the need for action to remediate these risks.

It will be critical to maintain an accurate view of these new advisories and be able to match that to your organization’s inventory. But beyond that, organizations need to continue to expand their investments in the foundational or “hygiene” elements of vulnerability management on OS’s, hardening configurations, user & account management, network protections, etc.