To provide more information on the evolving threat landscape for ICS, Verve’s research team has been looking at the various ICS advisories and CVEs that have been released in the last couple of weeks

With CISA kicking off Cybersecurity Awareness Month in October, we look back to the month of September, where the team analyzed a total of 26 new ICS advisories. From those advisories, Verve observed the following data points:

• Average CVSS score of 8.2 almost just like in August (8.1), but with a higher average of 3.2 CVEs per advisory.
• The companies with the most advisories for the month of September are Hitachi Energy (8) and Siemens (5), followed by Delta Electronics (2). All the other companies with advisories in September (11) only have one to their name.
• 69% of the advisories published in September only affect one specific sector – a really high percentage based on the fact that the previous month had only 36% of the advisories that only affected one sector.
• 23% of the advisories affect multiple products. All the advisories but 2 affect multiple versions (92%).
• 46% of the advisories were reported by companies & 54% by researchers.
• 12 ICS advisories of the 26 published in September (46%) were either self-reported or reported by a researcher working directly for the OEM.

While those vulnerabilities can all be relevant to an asset owner or cybersecurity professional, some of the advisories stand out.

Vulnerabilities worth noting

The following advisories/vulnerabilities stand out from the others:

Other vulnerabilities could also be listed above, such as ICSA-22-251-01 which has a CVSS rating of 10, ICSA-22-258-02 & ICSA-22-258-05, 2 advisories on Siemens assets that have 20 & 14 CVEs associated with them,  and other critical vulnerabilities that asset owners/engineers should investigate to ensure that they mitigate the risks that these vulnerabilities could entail to the environment they manage/maintain.

Vulnerability does not mean exploitability

When it comes to ICS advisories, CISA gives a good list of vulnerabilities that can potentially be exploited by a threat actor in order to compromise a given asset/product. The advisories generally give one or two “warnings” – Some rare ones don’t have any warnings – about how easily a threat actor could potentially exploit those advisories/vulnerabilities. The most common warnings are “Low attack complexity” and “Exploitable remotely“.

Other warnings that can be seen on CISA’s website include:

• Exploitable from an adjacent network
• Low skill level to exploit
• High attack complexity, and
• Public exploits are available

Those warnings can often give a general idea of the level of skills needed by a threat actor in order to exploit one of the vulnerabilities.

In September, 14 advisories of the 26(54%) could be both exploited remotely and had low attack complexity, 6 only had a low attack complexity, 3 were only exploitable remotely and 3 advisories were divergent from the rest of the group:

• ICSA-22-263-04 has a low attack complexity but also is exploitable from the adjacent network, which means that a threat actor could potentially exploit the vulnerabilities on these assets without gaining full access to the environment in which they sit.
• ICSA-22-270-02 has a low attack complexity but also has public exploits available, which means that attackers may have a head start when it comes to performing an exploit on this vulnerability.
• And ICSA-22-249-04 has no warning (N/A).

So, while some of the advisories might have really high CVEs associated to them, it doesn’t mean that they can easily be exploited. In order to properly understand their risks, organizations need to ensure that they don’t just look at the vulnerability scores, but also how they can be exploited, what those different assets mentioned in the advisory are connected to, their criticality and the impact an exploit could have on the organization, its operations, its data and of course safety.

In other words, organizations need to ensure they understand their network, have information on their endpoint and don’t forget to mitigate risks, put in place compensating controls, and perform risk/threat/vulnerability management activities.

Forecasting what’s to come

With all of this in mind, what can asset owners expect for the coming months? Last year(2021) saw ICS-CERT release 354 ICS-related advisories spanning 82 vendors/OEMs, 1,198 CVEs containing references to different products, and a matrix of affected versions. With an average advisory score of 7.91 and an average number of 3.38 CVEs per advisory for 2021, how does it compare to the current year?

Based on what is available so far, it can be analyzed that 2022 might bring:

• About the same number of advisories as in the previous year (267 so far at the end of September, with new ones being published every week) – If there was the same number of vulnerabilities then in September published each month before the end of the year, the total number would get to 342 advisories.
• A bigger variety of vendors, but still with Siemens as the OEM with the most advisories published in the year.
• The current trends seem to indicate that the average CVSS score and number of CVEs per advisory are going to stay similar to the previous year. This would be a contrast to the previous years where those numbers raised every year.

Verve Industrial and our objective

Verve Industrial’s mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve brings over 25 years of ICS/OT controls experience to help clients achieve rapid and lasting improvement in their Operational Technology (OT) security.

Our foundation in industrial controls engineering is core to our mission to help operators protect these critical assets that keep modern civilization operating effectively. We act as a true partner to our clients in their security and reliability journey. We walk alongside our clients to help them increase the maturity of their systems and processes over time.

One of the key challenges our clients face is the flood of new vulnerabilities released each year for ICS. They are often overwhelmed by the scale of these emerging risks. Our goal with this analysis is to bring some clarity to the task at hand, some visibility into the types of threats, and some recommendations about what actions an organization can take to address these risks.