- There were hundreds of industrial control system (ICS) vulnerabilities identified last year and more than 70% of them were remotely exploitable, according to a biannual risk report published Thursday by cybersecurity firm Claroty. Vulnerabilities were most prevalent in the critical manufacturing, energy, water and wastewater, and commercial facilities sectors.
- In the second half of 2020, according to the report, 449 vulnerabilities affecting ICS products from 59 vendors were disclosed. That represents an almost 33% increase over vulnerabilities disclosed in the first half of the year.
- Visibility into vendor supply chains and ICS equipment will be increasingly important in the future as the energy sector is experiencing a "digital transformation with a threat convergence," Robert Lee, CEO of security company Dragos, said Thursday at a U.S. Department of Energy (DOE) briefing focused on the SolarWinds hack.
Lee spoke to the DOE's Electricity Advisory Committee, and said fallout from the SolarWinds attack could continue for years.
"We're going to be be learning about this for months, if not years to come," said Lee. "Anyone who thinks they understand the scope of this today is naive. We are going to be responding to cases for a long time."
The SolarWinds attack, disclosed last year, hit hundreds of organizations, including DOE and multiple other U.S. government agencies, and is widely believed to be the work of Russian hackers associated with that nation's intelligence service. Hackers compromised a piece of software used by 18,000 of the world's largest infrastructure sites, said Lee.
The attack hit so many organizations because they utilized the same software, said Lee. And as clean energy infrastructure becomes increasingly scaleable, so will potential attacks.
"When you start having converging infrastructure and homogenous infrastructure, open standards and open frameworks, efforts that adversaries put into their research and development start to scale," said Lee. He added that the pace could accelerate as "eventually we'll be dealing not with state actors but with criminal actors who can now have profitability around targeting those systems."
The SolarWinds attack "has again put defenders' focus back on the supply chain," Claroty said in its report. The firm said organizations "need more scrutiny on their partners, contractors, vendors, and other entities with credentialed access to internal systems, or manufacturers of hardware and firmware they may be purchasing."
DOE's national laboratories are working on a "bill of materials" approach to securing vendor supply chains, according to Cheri Cady, senior advisor for cybersecurity and policy at the agency's Office of Cybersecurity, Energy Security and Emergency Response at Thursday's meeting.
DOE is working with the Department of Commerce on an "energy sector proof of concept," said Cady, to automate the generation and exchange of a bill of materials to "show the digital ingredients of what is in critical industrial control systems."
"It's really driving towards demonstrating bill of materials as an emerging standard ... that will help generate supply chain visibility at the subcomponent level that we have not heretofore been able to get to," said Cady.
Supply chain attacks are likely to continue, said Lee, with hackers compromising original equipment manufacturers (OEM) and vendors in order to gain access to utility systems. Visibility into equipment functions and components will be necessary to secure energy systems, but right now that is a weakness as security emphasis has traditionally been put on companies information and business networks.
"What we don't have and have never had, is that same insight into industrial control networks," said Lee.
Lee said hundreds of organizations witnessed "second stage" attacks related to SolarWinds, meaning hackers actually accessed compromised systems. Those included multiple OEMs, he said, with direct access to turbine control software.
Claroty's report concludes incidents like the SolarWinds attack "demonstrate the fragility of some perimeter-based defenses and the eventuality that these attacks will land on ICS and [supervisory control and data acquisition] equipment."
Research into ICS vulnerabilities continues, but according to Claroty "there are still many decades-old security issues yet uncovered." And for now, "attackers may have an edge in exploiting them, because defenders are often hamstrung by uptime requirements and an increasing need for detection capabilities against exploitable flaws that could lead to process interruption or manipulation."
There is some good news in Claroty's assessment of the ICS threat, however. Among factors for the swift increase in disclosed vulnerabilities last year is likely "heightened awareness" of the risks and "increased focus from researchers and vendors on identifying and remediating such vulnerabilities as effectively and efficiently as possible."