To provide more information on the evolving threat landscape for ICS, Verve’s research team has been looking at the various ICS advisories and CVEs that have been released in the last couple of weeks.

October was CISA’s Cybersecurity Awareness Month. During that month, CISA promoted careers in cybersecurity, organized some presentations and highlighted key actions that every people should take such as using strong passwords, MFA(Multi-Factor Authentication), etc. With this in mind, we look back to the month of October, when the team analyzed a total of 35 new ICS advisories. From those advisories, Verve observed the following data points:

• The average CVSS score of 8.3, just a little higher than in September(8.2), but with a lower average of 2.2 CVEs per advisory (September had an average of 3.2 CVEs per advisory).
• The companies with the most advisories for the month of October are Siemens (14) and Johnson Controls, Rockwell Automation & Hitachi Energy who all have three advisories each. All the other companies with advisories in October (12) only have one to their name.
• 54% of the advisories published in October only affect one specific sector – a significant decrease in percentage compared to the previous month where 69% of the advisories only affected one sector.
• 29% of the advisories affect multiple products. All the advisories but six affect multiple versions, which is a low percentage compared to previous months (82%).
• 51% of the advisories were reported by companies and 49% by researchers.
• 15 ICS advisories of the 35 published in October (43%) were either self-reported or reported by a researcher working directly for the OEM

November, on the other hand, was a slightly quieter month when it comes to CISA advisories. The month still welcomed cybersecurity events such as the National Computer Security Day on November 30^th. During the month of November, Verve’s team analyzed a total of 30 new ICS advisories. From those advisories, Verve observed the following data points:

• The average CVSS score of 8.0, just a little lower than the previous month, but with a higher average of 2.9 CVEs per advisory. The high average is mostly due to 3 specific advisories that have 13(ICSA-22-314-10), 13(ICSA-22-298-06), and 10(ICSA-22-333-05) CVEs respectively.
• The company with the most advisories for the month of November is again Siemens(11), which covers more than a third of the new advisories for the month of November. All the other companies with advisories in November(13), except for five(5) – Hitachi Energy, Mitsubishi Electric, MOXA, Omron & Delta – only have one to their name.
• 67% of the advisories published in November only affect one specific sector – which is a lot more constant with previous months such as September and a significant increase compared to October.
• 43% of the advisories affect multiple products, which is a huge number compared to the previous months. All the advisories affect multiple versions.
• 40% of the advisories were reported by Companies and 60% by researchers.
• 12 ICS advisories of the 30 published in November (40%) were either self-reported or reported by a researcher working directly for the OEM.

In total, those two months comprise a total of 65 advisories, with an average CVSS score of 8.2 and an average number of 2.5 CVEs per advisory. The graphs below illustrate the evolution over the last few months:

While those vulnerabilities can all be relevant to an asset owner or cybersecurity professional, some of the advisories stand out.

Vulnerabilities worth noting

The following advisories/vulnerabilities stand out from the others:

Other vulnerabilities could also be listed above, such as ICSA-22-326-02 which could potentially affect public safety and health and has known exploits, ICSA-22-298-05 which has a CVSS rating of 10, ICSA-22-314-10, ICSA-22-298-06 & ICSA-22-333-05 that, as listed above, have more than 10 CVEs associated to them, and other critical vulnerabilities that asset owners/engineers should investigate to ensure that they mitigate the risks that these vulnerabilities could entail to the environment they manage/maintain.

Prioritizing vulnerability mitigation and patching

When it comes to OT/ICS, it is pretty rare to have systems that can be randomly patched and rebooted. Therefore (and for multiple other reasons than the one listed above), patching and mitigating vulnerabilities is a complex task that DCS engineers, asset owners, etc. must plan and do meticulously in their environment. But how can one decide and prioritize which vulnerability should be mitigated, which patch should be installed and/or when risks/vulnerabilities need/have to be accepted?

ICS advisories usually have a Mitigation section, where companies and/or CISA propose different ways of mitigating the vulnerabilities listed as part of the advisory. Those “fixes” usually include elements such as:

• The OEM recommends users update to the latest version (or to one of the numerous specific ulterior versions)
• The OEM recommends users apply some specific hotfixes
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.

However, even if the vendors are offering a newer version of a software/product or patch to mitigate a vulnerability, it is not always possible for organizations to put those in place. Reasons for being unable to patch/mitigate a vulnerability include :

• Plant/site unable to patch or update for compatibility reasons
• Lack of budget to mitigate the risks/vulnerabilities
• Patching not approved by vendors/patch not sufficiently tested
• Patching/update would require a reboot of the OT process
• The network doesn’t allow the application of compensating controls

So, with all of this is mind, engineers and asset owners need to look at what / when / why they mitigate a vulnerability. Looking at multiple metrics in the advisories can give a few pointers when it comes to prioritization – For example, if the advisory has public exploits available, a Critical Score, and impacts many different products in the environment, it might be worth investigating – but that’s only the tip of the iceberg. Many vulnerabilities never end up in an ICS advisory, advisories & CPEs can be incomplete, etc.

Organizations need to make sure they understand what is in their network, which systems are critical for the operational process, etc. They also need to make sure they have other means to find/look at vulnerabilities in their network (e.g. SBOMs). With extensive knowledge of their own plants and by gathering data from multiple sources, organizations can then ask themselves the right questions and plan ahead – Which vulnerabilities should be mitigated during the next planned maintenance window/planned outage? Which vendors should be contacted? How many CVEs can I mitigate with a particular patch? Maybe for example some vulnerable workstations are only used from time to time and can easily be updated without the need of a planned outage? Etc.

In the end, as a well-known Chinese philosopher once said: “Success depends upon previous preparation, and without such preparation, there is sure to be a failure”.

Forecasting what’s to come

With all of this in mind, what can asset owners expect for the coming months? Last year(2021) saw ICS-CERT release 354 ICS-related advisories spanning 82 vendors/OEMs, 1,198 CVEs containing references to different products, and a matrix of affected versions. With an average advisory score of 7.91 and an average number of 3.38 CVEs per advisory for 2021, how does it compare to the current year?

Based on what is available so far, it can be analyzed that 2022 might bring:

• A really small increase in the number of advisories compared to the previous year (332 so far at the end of November, with new ones being published every week) – If there was the same number of vulnerabilities in December then in November, the total number would be slightly over 360 advisories.
• A bigger variety of vendors, but still with Siemens as the OEM with the most advisories published in the year.
• The current trend seems to indicate that the average number of CVEs per advisory(3.2) is going to be slightly inferior to the previous year. This would be a big contrast, as in the past that number has been increasing every year. The average CVSS score seems to stay pretty consistent over the years.

Verve Industrial and our objective

Verve Industrial’s mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve brings over 25 years of ICS/OT controls experience to help clients achieve rapid and lasting improvement in their Operational Technology (OT) security.

Our foundation in industrial controls engineering is core to our mission to help operators protect these critical assets that keep modern civilization operating effectively. We act as a true partner to our clients in their security and reliability journey. We walk alongside our clients to help them increase the maturity of their systems and processes over time.

One of the key challenges our clients face is the flood of new vulnerabilities released each year for ICS. They are often overwhelmed by the scale of these emerging risks. Our goal with this analysis is to bring some clarity to the task at hand, some visibility into the types of threats, and some recommendations about what actions an organization can take to address these risks.