Nuclear power plants, hydroelectricity plants, oil and gas pipelines, transport systems (subway and high speed trains) and a great many other vital systems are managed through various computer technologies.
Industry systems’ security gained a great deal of interest after a series of incidents involving the computer viruses Flame and Stuxnet. This was the herald of the age of cyberwarfare. In Russia, there is another reason to consider the security of such systems: new requirements for controllers developed to improve industry systems safety.
To find proper security methods, it is necessary to understand what skills the attacker possesses and what method of attack is to be chosen. In order to answer these questions, the experts of Positive Technologies explored the ICS systems security (ICS/SCADA/PLC). The results are shown below.
Brief statements on the results of the analysis are as follows.
- For a period of several months in 2012 more SCADA vulnerabilities were discovered than for the previous year; the number of vulnerabilities continues to grow rapidly.
- Security problems are still detected in the most popular products; approximately 65% of these vulnerabilities are critical.
- The USA and Europe are the leaders in the number of SCADA vulnerabilities available through the Internet; 40% of such SCADA systems are vulnerable and can be attacked.
- Most security issues of SCADA systems available through the Internet are related to configuration errors (default passwords) and the lack of updates.
But let us relate everything in due order.
Need for SCADA Systems in Russia
One can imagine the approximate market share of different SCADA vendors after considering the need for specialists with experience in one or another system, protocol, technology or program. The HeadHunter.ru vacancies database was used as a base for analysis. Specialists with experience in dealing with Siemens solutions turned out to be most required. Among the most popular products, four out of six are products from Siemens SIMATIC :
- Step 7 — PLC automation systems (approx. 22.05%);
- WinCC and WinCC Flexible — development of the human machine interface (HMI) (18.11% and 3.94% respectively);
- SIMATIC PC S 7 — building of complex automation systems (7.87%).
The top five also includes InTouch HMI from Wonderware (12.6%) and the Genesis software package from Iconics (5.51%).
The most popular data transmission technologies are presented by Modbus (RTU и TCP/IP) and Profibus/Profinet, and Profibus/Profinet (33% each). Then goes OPC (25%).
Among operating systems used with SCADA, Microsoft Windows is far ahead of other systems; experience in working with this system can be found as a requirement in most job postings for this sphere. Knowledge of QNX and FreeRTOS is stated in an insignificant number of vacancies.
In the programmable logic controller segment (PLC), specialists in Siemens components are the most sought after (approx. 31%). Siemens is followed by Schneider Electric (11%), ABB (9%), Allen-Bradley (7%) and Emerson (5%).
Vulnerabilities are often published without the developers\’ approval, so we used data from different sources for our research, for example: vulnerability databases, vendors\’ notices, exploit packs, specialized conference reports, and articles published on specialized sites and blogs.
Interestingly enough, during the period from 2005 to early 2010, only 9 SCADA vulnerabilities were discovered; after the detection of Stuxnet and all the fuss about it, 64 vulnerabilities were discovered by the end of 2011. For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during all the previous years.
The highest number of vulnerabilities for the reporting period (42) was discovered in the SCADA components developed by Siemens. Second place goes to Broadwin/Advantech (22 vulnerabilities), the third to Schneider Electric (18). As for the SCADA systems and information technologies in general, this state of things is due to the fact that the highest number of vulnerabilities is discovered in the most popular solutions. Moreover, some vendors have only recently started finding and fixing vulnerabilities in their products (Siemens ProductCERT).
Vulnerabilities According to the Type of Software and Hardware Components of SCADA
Such ICS components as SCADA and human machine interface (HMI) systems present a significant interest for attackers: 87 and 49 vulnerabilities were discovered, respectively, in these systems. The experts discovered 20 vulnerabilities in the programmable logic controllers of different vendors for the reporting period.
Types of Vulnerabilities
Almost a third of vulnerabilities (36%) are associated with buffer overflow. This defect in security allows the attacker not only to cause premature ending of a program, or freeze, (which leads to denial of service), but also to execute arbitrary code in the target system. The types of vulnerability which allow the attacker to execute code (Buffer Overflow, Remote Code Execution) make up 50% of all vulnerabilities. We should also consider the large number of problems in Authentication and Key Management — almost 23%.
Percentage of Fixed SCADA Vulnerabilities
Most security defects (81%) are fixed rather efficiently by the vendors of the SCADA component before the defects became widely known or within 30 days of uncoordinated disclosure. Approximately every fifth vulnerability is fixed with a significant delay, or was even not fixed in certain cases.
The percentage of fixed vulnerabilities gives a graphic presentation of how seriously information security issues are taken. For instance, Siemens fixed and released patches for 92% of vulnerabilities, while Schneider Electric fixed only 56% of security defects.
Availability of Information or Software for Conducting Attacks
If ready-to-use tools developed to exploit the vulnerability are available, or if information on the vulnerability is in the public domain, it is more possible that an attack will be conducted successfully. Currently, 35% of all known SCADA vulnerabilities have exploits that are available as single utilities, parts of penetration testing software or are described in security bulletins. The corresponding rate for other IT systems is several times lower.
The number of published vulnerabilities usually correlates with the number of published exploits. During the period from 2011 to September 2012, 50 exploits were published — 6 times as many as for the period from 2005 to 2010.
This rather low number of exploits published in 2012 is due to the following reasons:
- Regulation of mutual relations between the SCADA vendors and researchers; responsible disclosure policy is applied.
- There is a clear lag between the publication of vulnerability details and the publication of exploits (certain costs are incurred in developing exploitation tools).
Risk Levels of Detected Vulnerabilities
Almost 65% of vulnerabilities are of high (CVSS v. 2 Base Score is higher than 6.5) or critical (exploit is known) level.
If there are no methods to conduct an attack, the possibility that the system will be attacked is lower but is not ruled out. An attack against an industrial enterprise is conducted with the participation of high-level professionals who do not need exploit packs or other common tools.
Non-fixed Vulnerabilities in SCADA
In a case where an exploitation of the vulnerability already exists but no means of repair has been released, such a vulnerability provides the greatest risk, since an attacker does not need deep knowledge and a long-term preparation period. A schoolboy is able to cause a huge amount of damage. Thus, the SCADA products from Schneider Electriс are in the worst situation — 6 non-fixed vulnerabilities have been discovered. Second place goes to General Electric (3 vulnerabilities); in third place are Advantech/Broadwin and Rockwell Automation (one non-fixed vulnerability).
Popularity of SCADA Systems in the Internet
In order to understand to what extent the vulnerabilities described above can be used by an attacker, research in the global network has been carried out in relation to vulnerable SCADA systems. Passive analysis together with search engines (Google, Yahoo, Bing) and specialized databases such as Shodanhq and Every Routable IP Project were employed to search and check versions of the systems. The information obtained was analyzed from the point of view of vulnerabilities related to configuration management and updates installation.
Almost a third of the SCADA systems, the elements of which can be accessed from the Internet, are located in the USA (31.3%). Italy follows far behind (6.8%), and South Korea completes the top three (6.2%). Russia holds 12th place with 2.3%, and only 1.1% of the SCADA systems available through the global network are located in China.
These results are quite as expected, because the number of available systems directly depends on the degree of infrastructure automation.
Types of SCADA Systems
The global network contains a high proportion of various SCADA components including HMI, which account for 70% of all detected objects. Another 27% of the SCADA components are programmable logic controllers. Various other network devices used in the SCADA networks (Hardware) were detected in 3% of cases.
Types of Vulnerabilities
The most common security flaws are related to configuration errors (detected in 36% of cases). They include incorrect password policy (as well as the use of default passwords), access to sensitive information and erroneous restriction of user rights. A quarter of vulnerabilities are connected with the lack of the necessary security updates.
Percentage of Vulnerable SCADA Systems in Different Countries and Regions
The highest proportion of vulnerable SCADA systems available through the Internet is in Switzerland (100%). Second place is held by the Czech Republic (86%); third, Sweden (67%). 50% of the SCADA systems available through the Internet are vulnerable in Russia.
Europe pays the least attention to the issues of SCADA information security: 54% of industrial automation systems located in this region are vulnerable. Next comes South America (39%), and then Asia (32%), where insecure objects in Taiwan and South Korea are of the essence.