Cybersecurity is often more critical at the industrial control level than the infrastructure level. Photo courtesy of Traitov via Getty Images
While the vulnerability count for the food and agriculture industry is not at the same level as more critical manufacturing sectors, nevertheless, the significance is that out-of-control processes caused by an intruder can affect food quality and safety. Data source: Claroty Ltd.
Obviously, critical manufacturing, energy, water and wastewater and commercial facilities sectors—all designated as critical infrastructure—were the most affected by vulnerabilities disclosed in the 2H report. For example, the critical manufacturing sector saw 194 reported vulnerabilities; energy, 186; water and wastewater, 111; commercial facilities, 108; and transportation, 70. But, next in the running was food and agriculture with 70 vulnerabilities reported in the sector. See the above chart, “Vulnerability count by infrastructure sector.”
Opportunistic attackers went especially “low” throughout 2020, elevating extortion and ransomware attacks within their arsenals and targeting these critical industries including food. This dynamic created a race between attackers, researchers and defenders to find exploitable vulnerabilities, especially in industrial control/SCADA systems and operational technology (OT) protocols and networks.
"It is heartening to see a growing interest in ICS within the security research community, as we must shine a brighter light on these vulnerabilities in order to keep threats at arm’s length.”
While IT/OT integrated manufacturing networks are great for monitoring and improving processes, they’re also a perfect entryway for attackers. The Claroty report found that 72% of ICS vulnerabilities are exploited through a network attack vector (that is, they are remotely exploitable). Nearly half (46.32%) of vulnerabilities found affect the basic control (Level 1) and supervisory control (Level 2) levels of the Purdue Model of network hierarchy or configuration (see “The Purdue Reference Model" (simplified) below).
Level 5 Archives/file servers/enterprise network
Level 4 ERP/finance/messaging
Manufacturing zones: Device to Operations
Level 3 Operations management/historians —
Level 2 Supervisory controls: HMI, OI, client programs
Level 1 Controls: PLCs, RTUs, PACs, safety Ins. systems
Level 0 Sensors, actuators, drives, robots, etc.
Purdue Reference Model (simplified)
The Purdue Reference Model was originally developed by Theodore J. Williams with members of the Purdue University Consortium for computer integrated manufacturing. This greatly simplified diagram shows the basic manufacturing OT levels (0-3) and the IT levels at 4 and 5. Data flow can be upwards from the bottom or downwards from the top. However, for companies that wish to control OT equipment from the upper layers, care should be taken such that a minimal number of people have credentialed access to layers 0-3 from layer 4 or 5. Additional hardware protection and multiple factor logins should be required. Source: FE