Analysis of the Vulnerability of Industrial Control System in the first half of 2021

As more and more companies achieve modernization by connecting their industrial processes to cloud computing, providing attackers with more ways to endanger industrial operations through lesso software attacks.

According to CLAROTY’s latest report, with high-profile network attacks against critical infrastructure and industrial enterprises, the industrial control system (ICS) security problem is increased to a mainstream problem, and the vulnerability disclosure of industrial control systems has also increased dramatically.

The report covers the ICS and OT vulnerabilities disclosed in the first half of this year, not only provide data on the universal vulnerabilities in industrial equipment, but also provide the necessary background around them to assess the risks in their respective environments.

ICS safety research and disclosure trend

ICS vulnerability disclosure

ICS Vulnerability Disclosure is significantly acceleration, revealing the severity of security vulnerabilities found in the operational technology (OT) environment. 637 ICS vulnerabilities were disclosed in the first half of 2021, an increase of 41% over 449 vulnerabilities disclosed in the second half of 2020. Among them, 81% were discovered by the external source of affected suppliers, including third-party companies, independent researchers, scholars and other research groups. In addition, 42 new researchers reported a vulnerability.

71% of vulnerabilities are classified as high-risk or severe vulnerabilities, reflecting the highly severity and influence of nature of exposure and potential risks of operations. 90% of the attack complexity is low, which means that there is no need for special conditions, and the attacker can repeat each time. 74% of attackers do not need permissions, which means that the attacker does not authorize and does not need to access any settings or files; 66% of attackers do not need user interactions, such as opening email, click link or attachment or sharing sensitive Individual or financial information. 61% is remotely utilized, which indicates the importance of protecting remote connections, Internet of Things (IoT) and Industrial IoT (IOT) equipment. 65% may result in complete loss of availability, resulting in resource access being rejected. 26% Emptyly do not have a fix, or only some remedies, this highlights one of the key challenges of ensuring OT environmental security compared to the IT environment. The most important alleviation measures mentioned in ICS-CERT alerts and suppliers, including network segmentation (for 59% vulnerability), secure remote access (53%) and lessifier, network fishing and spam protection ( 33%).

TEAM82 discovered and disclosed 70 vulnerabilities in the first half of 2021, more than Claroty disclosed all the vulnerabilities disclosed in 2020. In general, Team 82 has disclosed more than 150 vulnerabilities affecting ICS devices and OT protocols.

TEAM82’s research investigates various suppliers and products that affect many departments of the industry. For these parameters, Claroty also studies third-party products. 70 vulnerabilities found in the first half of 2021 affected 20 automation and technology suppliers in the first half of 2021. The following two charts list the affected vendors and ICS product types, respectively:

Figure 1 The affected ICS supplier found by Team 82

Figure 2 Type of affected ICS products found by Team 82

2. Effected ICS products

Each disclosed vulnerability can be marked as firmware or software vulnerability. In some cases, a vulnerability will affect multiple components of these two aspects. In the first half of 2021, most vulnerabilities will affect software components, in view of the relatively easy software, the defense is prioritized in its environment.

When checking firmware and software vulnerabilities in the product line, it is important to understand that vulnerabilities are found in components that can be divided into firmware or software, but it is necessary to consider products that they have affected. For example, there may be a software configuration that is susceptible to attacks on the HMI, or may have an Ethernet module connected to the pump. The figure below shows the product line affected by these vulnerabilities, and its category is as follows:

Figure 3 Affected product segmentation

Due to 23.55% of the vulnerabilities, the operation management (Layer 3) level of the Pudu model, explained why many vulnerabilities affect the software components. In addition, about 30% of the vulnerability discovered affects the basic control (first layer) and supervision control (second layer) hierarchy of Pudu model. Of course, when affecting these hierarchies, an attacker can also reach a lower level and affect the process itself, which makes it an attractive goal.

Figure 4 Industrial Control System Purdue Model 0-3 Floor

Figure 5 Firmware or software vulnerability classification in the product line

Second, assess all ICS vulnerabilities disclosed in the first half of 2021

Statistics on all industrial control system vulnerabilities in the first half of 2021 include TEAM82 discovery and disclosure of vulnerabilities, as well as other researchers, suppliers and third parties disclosed in all other vulnerabilities disclosed in the first half of 2021. The Source of Team82 includes: National Vulnerability Database (NVD), ICS-CERT, CERT @ VDE Siemens, Schneider Electric and Mitre.

In the first half of 2021, 637 ICS vulnerabilities were released, which affected 76 ICS suppliers.

Figure 6 Quantity of ICS vulnerability and affected manufacturer found in the first half of the year 2021

In the first half of 2021, 80.85% of the vulnerability was discovered by the source other than affected suppliers, and external sources included many research institutions, including third-party companies, independent researchers and scholars. Figure 7 Vulnerability research Source

The following figure analyzes the number of vulnerabilities disclosed by third-party companies, and 341 vulnerabilities (53.87%) were discovered in the first half of 2021. Among these public vulnerabilities, there are many researchers discovered by the network security company, indicating that while IT security research, the focus also transferred to the industrial control system. It is to be pointed out that some disclosure is a cooperation between multiple research groups, or different researchers discover and disclose the same vulnerabilities, and 139 vulnerabilities in the first half of 2021.

Figure 8 Discovery source according to the vulnerability of the study organization classification

The 637 ICS vulnerabilities disclosed in the first half of 2021 affected 76 suppliers of products, the number of affected suppliers increased by 2020 (59), which was 53 in the first half of 2020.

Siemens is the most vendor of the report, with a total of 146 vulnerabilities, many of whom are the internal research disclosure of Siemens CERT team, followed by Schneider Electric, Rockwell Automation, WAGO and Advantech Technology.

It is important to realize that it is not necessarily meant that the impact of a large number of public vulnerabilities does not necessarily mean that the supplier is not good or the research capacity is limited. A supplier that assigns a large amount of resources to test its product security, which is likely to find more vulnerabilities than a supplier that ignores its product in the same extent. Each supplier’s directory and installation basis often affects the number of vulnerabilities disclosed in its products.

Figure 9 The top five suppliers affected by the vulnerability

In the first half of 2021, 20 suppliers of its products were not affected by the ICS vulnerability disclosed in 2020, were affected by at least one ICS vulnerability disclosed in the first half of 2021.

Six of these suppliers have specially engaged in medical technology, three special engage in automation, two specializing in manufacturing. Vulnerabilities affecting these new affected suppliers (16 of 20 suppliers) were discovered by researchers who were previously disclosed vulnerabilities.

Figure 10 suppliers affected by the vulnerability

Third, ICS vulnerabilities caused by threats and risks

Although many numbers in the report are impressive, it is impressive, but it does not explain a continuous trend: the disclosed vulnerability quantity and repair or alleviation of loopholes continue to rise. There are many factors behind this growth, first of all, more researchers are looking for vulnerabilities in ICS products and OT protocols.

In addition, organizations integrated OT management or introducing OT in IT not only improves business efficiency and analytical capabilities, but also expands the threat attack surface and exposes the equipment that is not intended to be connected to the Internet.

Most importantly, patch and other remedies, including the mitigation measures provided by suppliers. The repair speed of the software vulnerability is much higher than the firmware vulnerability. In the ICS and OT safety rings, it is unacceptable in many fields because of the patch and product updates. Therefore, it is of great significance for the user. By measuring the most recommended measures recommended by suppliers and industry CERT, it is undoubtedly the most important relief measures in the first half of 2021 in the first half of 2021.

As the air gap OT network has become in the past, the network segmentation takes a highlighted position in mitigation measures. Techniques such as virtual partitioning (specific to regional strategy specific for engineering or other-oriented function) will also become an indispensable means of relief.

At the same time, secure remote access is second only to the primary relief step. Appropriate access control and privilege management have a long way to stop the next Oldsmar type, more importantly, preventing the profit-oriented participants from moving through the IT and OT networks, stealing data, and releases extract Software and other malware.

There are very few for firmware repair. Almost 62% of firmware vulnerabilities are not fixed or suggested for partial repair, and most of the vulnerabilities are deployed in the first layer of Pudu model.

Fourth, the trend worth paying attention in the second half of the year

There will be three important trends in the second half of the year: OT cloud migration, targeting critical infrastructure and OT’s lesbed, as well as the upcoming US network legislation.

OT cloud migration

It is undeniable that the momentum that promotes the introduction of the cloud into the industrial process. This fusion will bring a lot of common risks when the company starts from cloud computing management OT and IT.

Data security has been a low risk of industrial processes, but it will now be improved to priorities, especially in regulatory industries, organizations must not only assess threats, but also to assess risks.

For example, encryption may make some tools unable to obtain complete visibility for network assets. In the air gap environment, this can be considered an acceptable risk, but once the assets are exposed to the Internet, the situation is different. The best practice is to encrypt the data during the transmission and encrypt when data is stationary to ensure that data can be fully recovered when an accident occurs. This will be particularly obvious as the company has putting services and applications in the cloud.

Authentication and identity management must also be part of the organization’s cloud OT depth defense program. In 2019, the new crown epidemic has accelerated distance work. In February this year, Oldsmar incidents have proven to be risks from system access and privilege management control.

Migrating to cloud-based infrastructure typically means a part of the tissue infrastructure (IT or OT) hosting on remote servers in third-party cloud providers such as Google, Amazon and Microsoft. Infrastructure includes a cloud-based management platform to support different users of the organization, such as administrators or engineers. The user and role policy must define which functions can be performed, and what privileges have according to their roles.

There are three types of cloud computing: public cloud computing, private cloud computing and mixed cloud computing.

2. Less Software and Lesssson Attack

Although it has not seen that lesso software specifically affects the first layer of equipment, the attacker has successfully affected the industrial operation. The most famous example is against ColonialPipeline attacks, after the IT system is infected with the software infection, the company is very cautiously closes the fuel delivery of the US East coast.

Attackers become more cautious when using lesso software, they will search for victims that they think most likely to pay high ransoms. Although the municipal government, health care and education sectors are considered to be the goal of Lesso software attacks, but large manufacturing companies and key infrastructure are now in the sky.

Another fashioned strategy in the attack group of profit is advanced intrusion, that is, stealing sensitive business or customer data, and the threat of public disclosure of this information, while mighting to be infected by the critical system. Again, an attacker is aligned with a high-value organization that may meet their needs. It is alleged that ColonialPipeline and JBS Foods have paid millions of dollars to threat participants to recover encryption systems.

As more and more companies connect ICS devices to the Internet and integrate OT and IT, the visibility of network assets is critical, and the information on software and firmware vulnerabilities that may be utilized by attackers. For example, the defects running on the engineering workstation on Windows-based machines may allow attackers to destroy these intersections between IT and OT networks, and modify processes, or put lesso software, hinders that they may affect public security or national security. Key service is provided.

In addition to spreading email-based threats for phishing attacks, defenders also need to pay attention to secure remote access, as well as a collection of vulnerabilities found in virtual private networks and other network-based attack carriers. More than 60% of the Vulnerabilities in Team82 data can be remotely attacked through a network attack carrier. This emphasizes the importance of protecting remote access to connectivity and Internet-oriented ICS devices, and cuts them before the attacker can move between networks and domains to steal data and discarding lesso software.

3. Suspended US network legislation

In the first half of 2021, attacks on Oldsmar, Colonial Pipeline and JBSFOODS show that key infrastructure and manufacturing are exposed to the Internet’s vulnerability. These attacks show that attackers can find weaknesses, change chemicals in public drinking water, or use massive commodity futon software to turn off fuel and food transportation systems.

These malicious attacks have also attracted the attention of the US government. Many government-supported network-related activities specially pointed out that industrial network security is critical to national security and US economies.

US President Biden signed a key infrastructure National Security Memorial in July, which establishes an industrial control system network security initiative, which is a voluntary action for private sector owners and operators aimed to make it system Consistent with the current threat. The US government will develop performance goals before September, which will inevitably become mandatory to deploy technology that can provide OT network visibility and threat detection.

The memorandum is signed after an administrative order signed in May, which is designed to improve the threat information sharing between the private and public sectors, realize the modernization of federal network security standards, strengthen supply chain security, and establish a network security review committee. Develop standard manuals to respond to network events, improve event testing on the federal network, and better investigations and remedies.

Previously, in order to improve the network security of the grid network, the three-day sprint was carried out, which also enhanced the theme of better sharing information between the public industry owners and the government. The Biden government also made a strong response to the colonial pipeline incident through TSA, and issued a safety directive, requiring the recovery ability of the pipeline network, including forced reporting events within 12 hours after testing, regular vulnerability assessment, and Prevent leisible software attacks.

Looking forward to the future, the draft of the Act of Washington includes strict report requirements after the incident. Be cautious and patient, ensuring that these regulations will bring additional risks or unrealistic expectations for small utilities and key infrastructure operators that have insufficient resources.

The government must have a balance between identifying and removing network attackers with the company’s supervision, and these companies will benefit from guidance and funding. In addition, you must also understand the reality of OT vulnerability management, and patch for industrial equipment in high availability environments, or update the challenges of old devices that do not connect to the Internet or updated for decades. This is a key infrastructure must face problems to ensure that they can provide relief measures for defensivers that need to be alleviated by no need to make an option, or before providing a complete software or firmware update.

V. Key events in the first half of the year

The following events and trends may help shape the ICS risks and vulnerability patterns in the first half of 2021 in the first half of the year.


The largest gasoline, diesel and natural gas distributors in the East Coast of the East Coast, were attacked by Lesso software, affecting oil and gas transportation. The discontinuation of May 7 has caused immediate influence on the industry because approximately 45% of fuels in the East coast are supplied by colonial. Power outage causes the price of gasoline and household heating oil to rise, and many fuel stations are exhausted. This is the first time that the colonial company is 57 years of history. Colonial recovery on May 13.

It is said that the Russian Network Criminal Group Darkside is responsible for this attack, the group sells lesso software, is a service (RAAS). Darkside steals sensitive data and scorptors, and threats, these data will be announced if the ransom requires no satisfaction. According to previous reports, Darkside seems to look for victims that have the ability to pay high ransoms, which claims to be non-medical institutions, educational institutions or government agencies. Colonial paid $ 4.4 million in bitcoin ransom, but 2.3 million US dollars were recovered by the US government, but it was reported that the attack was not allowed to give up the operation.

2. OldsMar Water Control Attack

On February 5, a water treatment facility in Alzmar in Florida was attacked. Oldsmar’s operators detected two invasions from the factory, the second invasion involving a remote attacker, the attacker connects the TeamViewer desktop sharing software, TeamViewer desktop sharing software is legal remote access for technical support. solution.

The remote attacker contents the sodium hydroxide in the home and commercial drinking water, from 10% to 100,000 to 1100. Sodium hydroxide (also known alkali solution) is added to water to control the acidity and remove certain metals. The alkali solution is also the main reagent in the sewer cleaner, which is a corrosive substance that is dangerous if it is eating.

The operator cuts off the connection of the attacker and prevents pollution water from entering the public with the support of the water treatment system.

3. JBS Foods Attack Event

On May 30th, the world’s largest meat supplier JBS was attacked by Lesso software, leading to the fact that Australia, Canada and the United States closed. The United States’s factory closure also leads to nearly one-fifth of meat processing capacity loss. The Federal Bureau of Investigation blamed this attack on Revil, also known as Sodinokibi.

Revil is a hacking organization that provides RaaS. They are known for the huge ransom, which steals the data for dual races before encryption, and publishes these data on a dark station called HappyBlog.

JBS maintains a backup system and can use it to restore operations to recover data. Despite this, the company has paid a loss of 11 million US dollars to an attacker.