Industrial security 2023 in numbers
INCIBE-CERT has continued working throughout 2023 on early warning services and cybersecurity alerts. Specifically, in the ICS notices where different warnings related to Industrial Control Systems and the world of the Internet of Things in industrial environments (IIoT) have been published. This specific service was created eight years ago with the aim of providing all companies in the industrial sector with a means to consult information on the most recent vulnerabilities that their devices may have, in order to be able to apply the appropriate mitigation measures, provided by the manufacturers of the affected products or from documentation of good practices in device configuration, network segmentation, etc.
This information, in addition to being available via the web and through the social networks, can be consulted through a newsletter. This is a tool through which users can be informed of all vulnerabilities affecting devices, software and other elements of industrial manufacturers.
In addition to this daily publication of the early warning and alert system for Industrial Control Systems, INCIBE, through INCIBE-CERT, has continued with the dissemination of cybersecurity on this type of systems, publishing specific content on the blog and also through different guides and studies.
- Number of ads published per month during 2023. -
A look at the work carried out throughout 2023 shows the publication of 317 advisories related to the industrial sector, ranging from IoT devices to more traditional industrial devices, as well as advisories related to applications (desktop, web, mobile applications, etc.), communication elements in this environment and other topics. It is important to note that the same advisory can have several vulnerabilities, as we will see below, but only the advisories are counted in this graph.
The constant rate of publication of vulnerabilities could be due to the continuous reporting by industrial cybersecurity researchers and the increased awareness in this area by industrial companies
Classification by sector
With respect to the sectors involved, it can be observed that there have been warnings that have affected almost all the strategic sectors defined in the Critical Infrastructure Protection Act (Law 8/2011), as shown in the following graph.
- Evolution of notices by sector. The energy sector, as in previous years, is the most affected (excluding 'other industry', which is not a sector per se). -
As in previous years, most of the published advisories relate to multi-purpose devices. This means that a single advisory, in addition to containing different vulnerabilities, can affect different sectors, with the 'other industry' sector being the most numerous.
Similarly, it is important to note that the sectors with the most warnings do not necessarily have to be the most insecure, as there are other factors, such as the number of devices, manufacturers and processes that are used on a daily basis in each sector. For example, the energy sector is the sector most affected by warnings, since practically all the processes involved in this sector are in constant use, and on many occasions other sectors rely on the energy sector to provide service.
Nature of the notices
The cataloguing of the vulnerabilities analyzed in each alert is based on the different types of vulnerabilities described in the list CWE (Common Weakness Enumeration). This list reflects practically all the vulnerabilities that can affect different assets, including a brief description of each one.
The most prominent vulnerabilities affecting devices related to the industrial world in 2023 are:
- Nature of vulnerabilities 2023 (top 10). Note that a warning can be related to several vulnerabilities. -
This year, the most common vulnerabilities include improper validation of input parameters, improper authentication, and Cross-Site Scripting (XSS), which highlights the need to follow good practices during industrial software development. In addition, many of these vulnerabilities have been passed down from the IT world, so it is possible to follow development examples to avoid making the same mistakes.
Also, as in previous years, vulnerabilities related to out-of-limit reads and uncontrolled resource consumption are still very much present, which can allow an attacker to stop the software or device from functioning temporarily.
Another aspect to consider when examining the graph on the nature of vulnerabilities in 2023 is the exploitation of vulnerabilities related to web services. Today, many industrial devices that are integrated into industrial networks have a web server through which they provide a more intuitive interface for the operator and allow actions to be performed that may be important for the correct operation of the process in which the device is involved.
Vendors
The list of manufacturers most related to the ad’s changes minimally with respect to previous years. The major leaders in Industrial Control Systems products continue to be the most exposed and, therefore, the ones about which most ads are published.
- Number of warnings published by manufacturers. -
As far as the top positions are concerned, Rockwell Automation and Mitsubishi Electric share the top spots with 20 and 15 warnings respectively each, followed by ABB and Siemens with 12 each. These, in turn, are closely followed by several manufacturers, with a total of seven with more than ten warnings.
A large number of warnings per manufacturer does not mean that the manufacturer is the most vulnerable, but that they may invest more effort in security research or that many independent researchers have access to a device from the multiple families they have, as they are the most widespread.
Criticality rating
The classification of the 2023 alerts, according to their criticality, is very similar to that presented in the summaries of previous years, with the difference that INCIBE-CERT has focused exclusively on medium, high and criticality alerts, mainly due to the fact that alerts of these criticalities can be very harmful to companies. This reminds us once again that it is necessary to reinforce the protection of control systems, since the vulnerabilities reported in them can cause great disruption to the company and serious consequences in the production process.
- Classification of warnings. -
Incibe as CNA
Throughout this year, INCIBE, in its role as CNA in the assignment and publication of CVE identifiers, a total of 164 CVEs have been coordinated and published from a total of 68 manufacturers, corresponding to 71 notices.
In turn, the most common types of reported vulnerabilities, or CWE, are as follows:
- CWE-79: inappropriate input neutralisation during web page generation (Cross-Site Scripting).
- CWE-89: incorrect neutralisation of special elements used in a SQL command (SQL injection).
With regard to coordinated CVEs, together with the CNAs adhered to INCIBE Root (ZGR, Artica PFMS, Alias Robotics and KrakenD), a total of 24 CVEs were published during the year between the 4 CNAs.
Conclusion
In summary, 2023 has continued the trend of previous years as the number of vulnerabilities detected and advisories issued has grown. Likewise, the criticality of the vulnerabilities found has not varied much and the large industrial manufacturers continue to lead in terms of the number of advisories issued.
However, 2023 has left us with certain aspects to consider that could be relevant in the future, such as the fact that, although large industrial manufacturers lead in the publication of notices, smaller manufacturers are beginning to follow in their footsteps, with such publications as can be seen in the growth in the number of notices by 'Others' in Illustration 4 (Number of notices published by manufacturer).