An In-Depth Look at ICS Vulnerabilities Part 2
This chart shows CVEs affecting Critical Manufacturing that was identified in 2021 advisories which might be used to accomplish tactics from the MITRE ATT&CK framework ease of reading. Names and definitions of tactics are directly referenced from the MITRE ATT&CK framework.
Six hundred and thirteen CVEs identified in advisories in 2021 are likely to affect Critical Manufacturing environments, 88.8% of them might be leveraged by attackers to create an Impact (to directly or indirectly cause varying degrees of disruption to ICS equipment and the environment).
For ICS environments, Impact is a critical concern that includes damage or disruption to finances, safety, human lives, the environment, and equipment. If we compare Impact on operational technology (OT) with Impact on information technology (IT), potential Impact from an IT incident is not nearly so broad and is more limited to how the attackers can affect data.
Sixty-four point four percent of those 613 CVEs can be exploited to accomplish Initial Access. This underscores that getting the door open is a major point of interest and surprisingly easy to accomplish in unsecured systems.
Additionally, vulnerabilities that can be exploited to Inhibit Response Function are quite common at 81.9%. Techniques for accomplishing this include disrupting functionalities related to safety, protection, quality control, and operator intervention. This is one commonly found way attackers can leverage a single point of failure to cause serious damage or break the whole system.
Eighty-eight point eight percent uses Impact, which can be accomplished with Critical Manufacturing-affecting CVEs identified in 2021 advisories.
it’s important to note that when IT is under attack, OT will also take collateral damage. In the Colonial Pipeline incident, their IT infrastructure was attacked by the DarkSide ransomware. Collateral damage forced them to shut down their entire pipeline operation, and the effects on their operational technology began in their IT system.
For ICS operations, Impact can have far-reaching “ripple” effects that spread outward from the point of incident.
In part three, our series wrap-up, we’ll continue to dig deeper and evaluate CVEs that affect critical manufacturing based on MITRE’s matrix. We’ll also explore common ICS-affecting vulnerabilities identified in 2021.