The number of vulnerable ICS components grows every year. Nearly half of the vulnerabilities identified in 2015 are high-risk – and the majority of vulnerabilities were found in the products of the most well-known vendors. Widespread poor security practices, such as default passwords and dictionary-guessable passwords, make it easy for outsiders to access the systems and gain control.
These are the sobering conclusions of research by Positive Technologies, which analyzed data on ICS vulnerabilities from 2012 to 2015, as well as information on the Internet availability of ICS components in 2015. Below is a summary of the findings.
The source material consisted of publicly available information such as vulnerability databases (ICS-CERT, NVD, CVE, Siemens Product CERT, Positive Research Center), vendors’ advisories, exploit databases and packs (www.exploit-db.com, http://www.rapid7.com/db/ etc), conference presentations, and publications on blogs and industry sites. CVSSv2 was used to assess vulnerability severity.
To collect information on the online availability of ICS components, researchers scanned Internet-accessible ports using publicly accessible search engines: Google, Shodan, and Censys. Once collected, the data was subjected to additional analysis to determine a relationship to ICS equipment. Positive Technologies specialists created a database of ICS identifiers, consisting of approximately 800 entries that allow inferring the product and vendor from the banner.
In total, vulnerabilities in components from approximately 500 ICS vendors were considered. 743 vulnerabilities were found in all. In 2015, experts at Positive Technologies independently discovered 7 new vulnerabilities (2 of them high-risk) and notified the relevant vendors.
As noted in our previous report, SCADA Safety in Numbers, between 2009 and 2012 the number of discovered ICS vulnerabilities soared by over 20 times (from 9 to 192). In recent years (2012–2015), the number of vulnerabilities discovered each year has remained stable at approximately 200. This is the result of increased interest by vendors in addressing vulnerabilities and interacting with the security community.
The vendors of the most vulnerable ICS components, in terms of number of vulnerabilities found, are Siemens, Schneider Electric, and Advantech. However, these numbers paint only a partial picture: they depend on the prevalence of the product and on whether the vendor practices responsible disclosure. Therefore, these figures cannot be used to judge the degree of security of particular solutions from any particular vendor.
The largest number of vulnerabilities was identified in SCADA components and programmable logic controllers (PLCs), industrial network devices and engineering software, human–machine interfaces (HMIs), and remote access and management terminals. These results show little change from 2012.
Most vulnerabilities are of either high or medium risk (47% high, 47% medium). Looking at the degree of risk based on the feasibility of threats to confidentiality, integrity, and availability, over half of the vulnerabilities score as high-risk on the important availability metric. Threats to availability, combined with the possibility of remote exploitation and weak authentication mechanisms, substantially increase the risk of damaging ICS attacks.
Data on vulnerability fixes is not published, so Positive Technologies researchers relied on information provided by the vendors themselves. Detailed information on the vulnerabilities already fixed by vendors is provided on the company website. 2015 data shows that only 14% of vulnerabilities were resolved within three months, while 34% waited over three months and the remaining 52% either were never repaired, or the date of repair was not given by the vendor.
However, published exploits are available for only 5% of known vulnerabilities. This is an improvement over 2012, when exploits could be found for 35% of vulnerabilities.
Most vulnerabilities fall into the categories of DoS, Remote Code Execution, and Buffer Overflow. Exploitation of these vulnerabilities by an intruder could cause equipment failure or unsanctioned operation of the equipment, which is equally undesirable given the reliability requirements and sensitivity of ICS components.
As of March 2016, 158,087 ICS components were available online. Most of these components were accessible via HTTP, Fox, Modbus, and BACnet, and in most cases, a dictionary password was used for authentication.
The largest numbers of Internet-available ICS components were found in the USA (43%), Germany (12%), and France, Italy, and Canada (approximately 5% each). The low number of ICS components found in Asia is due to the use of local solutions that are little known outside of their home markets. Russia placed 31st, with 600 available components (less than 1% of the total).
The largest vendors of the found Internet-available ICS components are Honeywell (17%), SMA Solar Technology (11%), and Beck IPC (7%). Among Internet-available components, the most common are building automation systems from Tridium, a Honeywell company (25,264), and energy management systems, including photovoltaics from SMA Solar Technology (17,275).
Positive Technologies researchers were also able to “find“ automated control systems responsible for manufacturing processes, transportation, and water supply. In many cases, intruders would not even need any special knowledge to gain access. Of the ICS components found online, only two thirds can be reasonably described as secure.
These results suggest that ICS security from cyberattacks in 2016 is still deficient. Even basic security hygiene – such as use of complex passwords and disconnecting ICS components from the Internet – goes a long way toward preventing attacks with potentially enormous consequences.
Full text of the “Security Trends and Vulnerabilities Review. Industrial Control Systems” report is available at www.ptsecurity.com/library/whitepapers/