ICS Advisory Study by Dragos

Yesterday I ran across an interesting infographic on LinkedIn that was produced by Dragos. It provided some provocative statistics about control system security advisories that were published in 2017. I am not a big fan of infographics; I prefer to look at the analysis that went into putting together the infographic. So, I asked for and received a link to the report from Dragos that actually includes the infographic.

I have generally been a fan of Dragos incident and vulnerability reporting, but I am disappointed in this report. The infographic has some tantalizing extracted information, but the full published report is little more than a series of bullet points that describes the information from the infographic. To tell the truth, I am not sure what came first, the infographic or the report.

The important information in the report is really summarized neatly by the two paragraph introduction by Reid Wightman. Unfortunately, the information supporting Reid’s comments is not very detailed and there is a total lack of specific examples that explicate the points that Reid makes. While I agree with Reid’s conclusions and almost all of the points raised in the report, it is not because of the in-depth reporting in this document. Rather I have seen what the report describes in my own perusal of ICS-CERT vulnerability reporting over the last ten years or so.

My major question about the reporting here is about the source of the data. According to the report the data is based upon the Dragos analysis of “163 vulnerability advisories

with an industrial control system (ICS) impact” that Dragos tracked in 2017. It is not clear if these were advisories produced by vendors or ICS-CERT. I am hoping that ICS-CERT advisories were the basis for the analysis, because those advisories at least have a commonality of terminology and an attempt at consistency of data presented. Furthermore, the ICS-CERT advisories for many vulnerabilities (particularly for the smaller vendors) are apparently the only real report for a large number of the advisories published by ICS-CERT.

If Dragos was relying on data from vendor vulnerability reports (and this would have certainly been a more chalenging analysis) then they have failed to acknowledge the disparity in the reporting efficacy of the different vendors. Major vendors (like Siemens, Rockwell, etc) do a much more complete job of reporting the kind of data that the Dragos’ report calls for. They should be commended for the efforts that they do take to produce useable (but still frequently flawed) vulnerability reports.

Two very important points are made in both the infographic and the report and they both deserve wide spread discussion. First, “85% of 2017 ICS-related vulnerabilities apply late in the kill chain and are not useful to gaining an initial foothold. If these vulnerabilities are exploited, it is likely the adversary has been active in the network for some time and already pivoted through various other systems”. Second, “61% of 2017 ICS-related vulnerabilities cause both a loss of view and a loss of control – likely causing severe operational impact”. What I would like to know, is what percentage of the vulnerabilities that could be useful to gain an initial foothold could lead to a loss of view and/or control. That is the type of information I was hoping to see in this Dragos report.

Do not get me wrong. Everyone in the ICS community should look at the infographic (which should certainly be shared with management outside of the immediate ICS environment) and read this report. Vendors should certainly take the reports recommendations to heart. I just wish that there had been a little more red-meat here.