I was reading Dragos’ report on ICS/OT exploits . I find it t be insightful . So I decided to share some key points that I find useful . This article uses technical terms and acronyms.
- There are 600 public exploits
- Those exploits minimize the effort and skills required for the attacker to conduct the attack – script kiddies – in another word it makes attacking an ICS/OT network easier.
- 10% of these vulnerabilities/exploits are used in the wild and are tracked by Dragos. What happens to the rest !
- Majority of exploits are written in Python or Ruby programming language.
- Some exploits/vulnerabilities are still being used by attackers such as CVE-2007-6483 since 2007 to date. The reason for this maybe many asset owners are not patching or improving protection against this vulnerability.
- Year 2020 and 2021 have a very low availability of public exploits .
- The zero-day/exploit market is possibly controlling the release of exploits to the public.
- The pro and cons of such market behavior : pro: less hacking on ICS/OT , cons : no security against vulnerabilities/attacks.
- No bounty programs are available for ICS/OT yet.
- Vendors should rely on (POC) exploits and low skill attacks to improve their security.
- Only 100 vendors were affected by exploits, 7 of them contribute 40% of exploits . They are Siemens, Schneider Electric, Rockwell Automation, Moxa, Microsoft, Allen-Bradley, and Advantech.
- ICS/OT networks that are affected are not necessarily ICS/OT devices or systems , the exploits/vulnerabilities could target a system in the network (VPN or a router) that affects ICS/OT processes as a consequence.
- The most affected Purdue model layers are level 2 and 3
- The common attacks are RCE & DOS . They are executed mostly by memory corruption or command injection.
- Attacks that have high access complexity (AC) score : medium or high such as XSS/CSRF are classified as useless , because they involve the attacker to perform MITM or trick a user to click a link.
- There are 250 exploits authors.
- 50% of authors are unaffiliated .
- 50% of authors come from Talos , Rapid7 and Tenable.
My reflection on these findings can be as summed up in the following : There are possibly other vulnerabilities/exploits that are exploited in the wild but are not yet discovered by Dragos and cyber security communities. Also, some exploits according to Dragos are not counted in this study due to many reasons. Why Dragos has not attempted to include all sort of exploits ? The same applies to other authors. Dragos explained their methodology on choosing exploits and their data “Affiliation-based”, they admit that this is an imperfect approach. In any case, I appreciate their good effort. Is it true that the 0-day/exploit brokers are controlling the release of exploits to the public that led to the decease of public exploits or are there other factors such as the steady saturation of finding easy vulnerabilities in ICS/OT. Or could it be the pandemic that caused this in 2020 and 2021? . Let’s suppose that the exploits market is controlled. Is it ethical ? We saw that there are advantages to this, but this 0-day/exploit market needs more examination. This decline of exploits in 2020 and 2021 needs to be researched and examined. Also, the relationship between exploits supply and real world exploitation needs to be studied using other factors.