Industrial control system security in 2014: trends and vulnerabilities

In recent years, the industrial control systems (ICS) have become a popular target for malicious users and cyber criminals. The Stuxnet (2010) and Flame (2012) worms were replaced by more complicated malware and sophisticated attack schemes in 2014. For example, hackers spread the Havex Trojan horse by injecting malicious code into SCADA software on vendors\’ websites. This malicious software was then downloaded in factories, so that attackers could obtain administrative access to industrial control systems in several European countries.

In 2012, specialists from Positive Technologies published a research paper entitled \”SCADA Safety in Numbers\”. The current report is an update on that paper through 2015. Key trends in ICS security are listed below:

(1) Openness 

Many ICSs are found within production, transportation, and water and energy supply systems and can be located on the Internet using publicly available search engines. In January 2015, researchers from Positive Technologies discovered more than 140,000 different ICS components this way. Moreover, the end users of these systems are not aware components are exposed. We discovered flaws in kiosk mode, cloud services, sensors, physical ports, and industrial Wi-Fi, none of which would normally be considered a common attack vector.

(2) One Key for Too Many Locks 

A large increase in ICS implementation combined with a limited number of software vendors has resulted in the use of similar SCADA platforms for critical objects in different industries. This replication allows hackers to deploy similar attacks across critical infrastructure. For example, our specialists discovered vulnerabilities in control systems of the Large Hadron Collider, several European airports, nuclear power plants in Iran, the largest pipelines and water supply systems across several countries, and trains and chemical plants in Russia. If a hacker could fully capitalize on these vulnerabilities, they could attack various systems all over the world.

(3) Malware Is Updated More Often Than Protection 

Complicated ICS structures and the requirement for continuity of processes, not allowing for any downtime on equipment, results in basic ICS elements (industrial protocols, OS, DBMS) becoming outdated and unpatched. Bugs remain unfixed for years while at the same time development of automated tools significantly accelerates hacking activities. In the course of the Critical Infrastructure Attack contest, at the PHDays IV forum in 2014, several up-to-date SCADA platforms used in actual industries were hacked in just two days.

(4) Crazy House instead of Smart Home

The term Industrial Control System (ICS) appeared in 1980s when automated systems or production units were mainly present in large manufacturing industries. Reduction in cost and size allowed computerized devices to be adapted for other fields like building maintenance, monitoring, and power distribution. However, neither vendors nor users normally consider their security, and our research demonstrates that many of these devices can be accessed via the internet.

Research Method

Information about vulnerabilities were generated from: Vulnerability databases (ICS-CERT, NVD/CVE, SCADA Strangelove, Siemens Product CERT, etc.), penetration testing software (SAINTexploit, Metasploit Framework, Immunity Canvas, etc.), vendors\’ advisories, scientific white papers and posts on dedicated websites.

The severity of the vulnerabilities was graded based on CVSS version 2. It should be noted that a limiting factor in this research is the availability of information about the vulnerability, dependent on corporate disclosure policies. It is possible that the state of ICS security is significantly worse than the figures presented in this report.

Information on access to ICS systems via the web was obtained by passive methods using publicly available search engines (Shodan, Project Sonar, Google, Bing) and port scanning. Data was analyzed using a fingerprint database comprising 740 records, which allowed researchers to identify the product vendor and version by the banner. Most fingerprints related to SNMP (240) and HTTP (113) protocols, but about one third of fingerprints related to various industrial protocols (Modbus, DNP3, S7, etc.).

Number of Vulnerabilities

The research revealed 691 vulnerabilities in ICS components. This represents a significant increase from 2009, and a 20-fold increase between 2010 and 2012 from just nine to 192.

ICS Vulnerabilities by Year

Vulnerability Assessment

The severity levels of the vulnerabilities in 2014 are instead of is consistent with those in 2012, as most vulnerabilities have \”High\” (58%) and \”Medium\” (39%) severity.

In terms of the CVSS score metrics, more than half of the vulnerabilities have low Access Complexity, and many vulnerabilities can be exploited remotely to facilitate attack.

As information on vulnerability patching is not publicly disclosed, data for this research was obtained by Positive Technologies\’ specialists from vendors. The situation is worse in 2014 than in 2012, when most vulnerabilities (around 81%) were fixed quickly by vendors before they could be exploited or within 30 days of public disclosure. As of Q1 2015, only 14% of vulnerabilities were fixed within three months, 34% remained unpatched for more than three months, and the remainder, 52% of vulnerabilities, are still unpatched or the vendor provides no information on bug fixes at the time of publication.

ICS Patching

Vulnerabilities by Vendor 

Vendors and the number of vulnerabilities found in each is as follows: Siemens (124 vulnerabilities), Schneider Electric including Invensys after acquisition (96 vulnerabilities), Advantech (51 vulnerabilities), General Electric (31 vulnerabilities). However, the list of vulnerable products is far more extensive. The diagram below shows the Top List of “vulnerable” vendors, but the other 88 vendors are unified under \”Others,\” and this represents a large percentage of the overall vulnerabilities.

 ICS Vulnerabilities by Vendor (wrt severity)

Geography of ICS Accessibility and Exploitability 

Our research uncovered a total of 146,137 ICS components that can be accessed via the web. The most common are Tridium (Honeywell) building automation systems, and power monitoring and control systems including SMA Solar Technology systems for solar power management. The most accessible components are PLCs/RTUs, followed by systems for inverter monitoring and control, and network devices and HMI/SCADA components.

More technologically advanced countries have higher levels of automation, thus the number of industrial systems exposed to the Internet is also high in these countries. Unsurprisingly, the most exposed systems are in the USA (33%) and Germany (with significant 19%). On the whole, Europe showed significant growth in accessibility of industrial systems through the web. By contrast, Asia hosts local systems, unlike the well known ICS components, which sometimes cannot be identified.

ICS Accessibility by Country

Further analysis of exposed ICS components reveals more than 15,000 vulnerable components. Most ICS are located in the USA followed by France, Italy, and Germany, mapping closely with prevalence. It should be noted that while the most common components exposed to the Internet contain less vulnerabilities, more than 10% of exposed ICSs are vulnerable.

 Geography of Vulnerable ICS Components

The full version of this research made by PT experts Evgeny Druzhinin, Ilya Karpov, Alexander Timorin, Sergey Gordeychik and Gleb Gritsay, will be published later at the Positive Research site: www.ptsecurity.com/research/

71 thoughts on “Industrial control system security in 2014: trends and vulnerabilities

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.