In its second annual review of vulnerabilities and threat group activity specific to industrial control systems (ICS), Dragos found that the majority of the public vulnerability advisories it tracked in 2018 were network exploitable.
The Year in Review is comprised of three parts: The Industrial Controls System Vulnerabilities Report, ICS Activity Groups and the Threat Landscape Report and, new this year, Lessons Learned from Hunting and Responding to Industrial Intrusions Reports, authored by Dragos co-founder and CEO Robert M. Lee.
Despite the finding that 68% of the advisories were network-exploitable vulnerabilities, only 28% of these network-exploitable advisories provided mitigation advice sufficient to take effective action, according to the report.
"There was a surprisingly high error rate among the advisories published by ICS-CERT,” said Reid Wightman, senior vulnerability researcher. “I think there is a public perception that the organization fact-checks advisories, but either they don't do it or aren't doing it very well. It is great to see, though, that when vendors collaborate with researchers to disclose vulnerabilities, the error rate significantly decreases. I hope we see more of that in the future."
The second report noted that threat hunters have been tracking three new ICS activity groups since 2017 and have identified a growing trend of adversaries using open source or commercially available penetration testing tools to pivot from IT networks to ICS networks.
"ICS attacks are not ‘bolts from the blue’ but the culmination of steady infiltration, data gathering and capability testing. While 2018 may have been quiet in terms of operational impacts due to malware or network intrusions, what we're seeing instead may be that preliminary period necessary before attack delivery," said Joe Slowik, adversary hunter.
Part three of the collection of reports found that in responding to industrial intrusions, in 37% of the incident response engagements, the initial vector dated back more than 365 days.
“As the threat landscape changes and activity groups increasingly adopt techniques to evade traditional antivirus detection, identifying patterns in adversary behavior and malicious activity can help defenders find and eliminate threats,” said Amy Bejtlich, senior adversary hunter.
“Cyber-threat intelligence helps augment this data collection and analysis and can help ICS entities best prioritize risk management and threat detection."