The Rising Threat to Manufacturing Cyber Security

Over the past several years, the risk to manufacturing organizations from cyber attacks has grown dramatically. This is due to both increased threat actor activity as well as increasing exposure to the traditional IT networks with greater OT connectivity. This is a short summary of some of these changes. For more details, please see a copy of our 2020 ICS vulnerability report.

Demonstrated financial impact from ransomware in manufacturing

Ransomware is now a well-known threat. Manufacturing, however, has not historically been a heavily targeted industry as the ROI was not seen as great as healthcare, financial services, municipalities, etc. More recently, threat actors are seeing the ROI in manufacturing. These events can have a significant impact on operations.

Not only is this an operational issue, but as seen from the impact of NotPetya/Wannacry from a couple of years ago, this demonstrates the potential for massive financial impact from ransomware that crosses into the OT environment. The financial impact is significant:

Increasing connectivity creates increased risk

During COVID-19 lockdowns, manufacturing organizations rapidly accelerated their remote access initiatives – from simple remote access for vendors or employees given limited on-site resources to more aggressive “Industry 4.0” efforts. Many industrial organizations have historically relied on the notional “air-gap” to protect their OT systems. The notion was that these systems are not connected to the Internet or to the corporate network. The past year has blown up any remaining air gaps that people may have felt existed.

Unfortunately, because these environments have not historically been actively managed, this connectivity means that the systems being connected are not protected with many of the core elements of security one might find in IT. Verve has completed hundreds of OT assessments over the past ten years or so. The results highlight the gaps in key elements of the defense in depth model adopted in IT security.

These risks are even more critical as manufacturing has now become the second most targeted industry for attack activity.

Increasing ICS vulnerabilities

In 2020, ICS-CERT issued 248 cyber security advisories for public consumption on the CISA’s ICS CERT portal. Verve analyzed all these advisories, regardless of whether they came from large or small vendors to ensure accuracy even for geographies where the primary vendors are lesser-known. We compared them to 2019 releases. This report summarizes the conclusions, implications on remediation strategies, as well as a perspective on what 2021 might hold.

ICS CERT released 248 ICS-related advisories spanning 67 vendors/OEMs, 710 CVEs containing references to different products & a matrix of affected versions.

ICS-CERT advisories increased by ~30% over 2019 with the number of CVE’s growing by almost 50%, and the average CVSS score of these CVE’s increased to over 8.0 out of 10.  These advisories were equally split between OEM application software and embedded device vulnerabilities.

Embedded devices outnumber devices with traditional IT Operating Systems and have had nearly identical advisory release ratios as software or applications for those OS devices in both years.

These vulnerabilities create risks as networks are increasingly connected. Almost two-thirds (63%) are exploitable remotely with little skill required. This is up from 56% in the 2019 total. And the total number of remotely exploitable/low skill vulnerabilities increased by 66% in 2020 vs. 2019. This should raise the hair on the back of the necks of OT operators everywhere, especially in a world of greater remote connectivity to critical infrastructure during COVID and in the future.

These are not just small, minor risks, either. The trend is towards higher risk scores with advisories scored as 8 through 10 increased at roughly twice the rate of those ranked 7 or less. So not only are there more risks, but the severity is growing. The largest type (~35%) relates to authentication or validation errors which can enable unapproved actors to make changes. And the second (30%) relate to Buffer Overflows. For the security researcher, this term is well-known, but to the operator the implications of this are enormous.

These types of vulnerabilities can be used to:

• Consume/exhaust a device’s or software’s available resources and require a restart
• Create unsafe conditions where a device is unable to respond deterministically
• Generate a HALT or a STOP condition due to unexpected communications or commands
• Potentially compromise the system or application via remote code exploit (RCE)

As in 2019, Siemens constituted the largest number of advisories – in 2020 31% of alerts were related to Siemens whereas in 2019 the percentage was 23%. This is not to say that Siemens devices are “less secure”. In ICS, we need to learn that published vulnerabilities may, in fact, indicate a more mature vulnerability management program rather than more risky software.

One telling fact is that almost three-quarters (73%) of vulnerabilities were reported by third parties. It is great that more researchers are diving into the complex world of ICS, but this also means that the adversaries are also diving into these devices and finding vulnerabilities that they are likely not disclosing. The bar for OEMs is going up quickly to begin more aggressive efforts to discover, report, and disclose vulnerabilities.

One of the most significant underlying trends is the increasing threat that emerges as we evaluate the software bills of materials on these ICS embedded devices. In 2020, 36 out of the 248 (15%) advisories were related to these supply chain risks. But we believe this dramatically understates the risks to these hidden vulnerabilities. Through our independent research, we regularly discover embedded devices leveraging insecure software stack elements.

One might surmise from the disclosures from supply chain/third-party component vulnerabilities has not risen, but products are increasingly incorporating vulnerable third-party components. Similarly, with the increased focus on the supply chain (URG11, Treck, and SolarWinds) – we suspect this to widen the risk theatre, but not in the same profound ways researchers and vendors proclaim.

• 5% of ICS CERT advisories affected multiple products, and 99% affected multiple versions
• 9% of CVEs from all ICS CERT advisories were generated alone from supply chain vulnerabilities or third-party dependencies.
• And this is just the tip of the iceberg…

Our view is that this will be a major cause of increasing vulnerability disclosures in years to come.

What can manufacturers do to reduce cyber-related threats?

1. Conduct a robust, endpoint, and network-based assessment of your OT systems to understand the extent of exposure and prioritize remediation steps.
2. Bring IT security and OT teams together to develop a coordinated approach that aligns the needs of cyber security with the realities of the OT critical environments.
3. Ensure you have a robust asset inventory not only of OS-based devices and their versions but also all of the underlying application software and embedded devices with corresponding firmware.
4. Centralize the analysis and tracking of risk across assets, sites, and types of risk. In many cases, security may exist on paper in policies or design principles, but in the actual deployment, it fails.

A central platform aggregates the various risks and enables prioritization of the most effective way to remediate those risks. For instance, we often hear that patching is not just feasible in OT. The reality is true in some cases, but in many cases, there are feasible means to patch effectively to address the most severe risks.

Automated tools help with the labor challenges of doing so, but we do understand that updating firmware on all embedded devices can be challenging or impossible. Operators can leverage a range of compensating controls to address the risks (at least partially), such as application whitelisting, closely managing user accounts, removing unnecessary software, etc. A central platform enables the management of these compensating controls

We hope this review serves to raise the focus and energy on protecting our most critical infrastructure.