October 12, 2015

Industrial control system security in 2014: trends and vulnerabilities


In recent years, the industrial control systems (ICS) have become a popular target for malicious users and cyber criminals. The Stuxnet (2010) and Flame (2012) worms were replaced by more complicated malware and sophisticated attack schemes in 2014. For example, hackers spread the Havex Trojan horse by injecting malicious code into SCADA software on vendors' websites. This malicious software was then downloaded in factories, so that attackers could obtain administrative access to industrial control systems in several European countries.

In 2012, specialists from Positive Technologies published a research paper entitled "SCADA Safety in Numbers". The current report is an update on that paper through 2015. Key trends in ICS security are listed below:

(1) Openness 

Many ICSs are found within production, transportation, and water and energy supply systems and can be located on the Internet using publicly available search engines. In January 2015, researchers from Positive Technologies discovered more than 140,000 different ICS components this way. Moreover, the end users of these systems are not aware components are exposed. We discovered flaws in kiosk mode, cloud services, sensors, physical ports, and industrial Wi-Fi, none of which would normally be considered a common attack vector.

(2) One Key for Too Many Locks 

A large increase in ICS implementation combined with a limited number of software vendors has resulted in the use of similar SCADA platforms for critical objects in different industries. This replication allows hackers to deploy similar attacks across critical infrastructure. For example, our specialists discovered vulnerabilities in control systems of the Large Hadron Collider, several European airports, nuclear power plants in Iran, the largest pipelines and water supply systems across several countries, and trains and chemical plants in Russia. If a hacker could fully capitalize on these vulnerabilities, they could attack various systems all over the world.

(3) Malware Is Updated More Often Than Protection 

Complicated ICS structures and the requirement for continuity of processes, not allowing for any downtime on equipment, results in basic ICS elements (industrial protocols, OS, DBMS) becoming outdated and unpatched. Bugs remain unfixed for years while at the same time development of automated tools significantly accelerates hacking activities. In the course of the Critical Infrastructure Attack contest, at the PHDays IV forum in 2014, several up-to-date SCADA platforms used in actual industries were hacked in just two days.

(4) Crazy House instead of Smart Home

The term Industrial Control System (ICS) appeared in 1980s when automated systems or production units were mainly present in large manufacturing industries. Reduction in cost and size allowed computerized devices to be adapted for other fields like building maintenance, monitoring, and power distribution. However, neither vendors nor users normally consider their security, and our research demonstrates that many of these devices can be accessed via the internet.

Research Method

Information about vulnerabilities were generated from: Vulnerability databases (ICS-CERT, NVD/CVE, SCADA Strangelove, Siemens Product CERT, etc.), penetration testing software (SAINTexploit, Metasploit Framework, Immunity Canvas, etc.), vendors' advisories, scientific white papers and posts on dedicated websites.

The severity of the vulnerabilities was graded based on CVSS version 2. It should be noted that a limiting factor in this research is the availability of information about the vulnerability, dependent on corporate disclosure policies. It is possible that the state of ICS security is significantly worse than the figures presented in this report.

Information on access to ICS systems via the web was obtained by passive methods using publicly available search engines (Shodan, Project Sonar, Google, Bing) and port scanning. Data was analyzed using a fingerprint database comprising 740 records, which allowed researchers to identify the product vendor and version by the banner. Most fingerprints related to SNMP (240) and HTTP (113) protocols, but about one third of fingerprints related to various industrial protocols (Modbus, DNP3, S7, etc.).

Number of Vulnerabilities

The research revealed 691 vulnerabilities in ICS components. This represents a significant increase from 2009, and a 20-fold increase between 2010 and 2012 from just nine to 192.



ICS Vulnerabilities by Year

Vulnerability Assessment

The severity levels of the vulnerabilities in 2014 are instead of is consistent with those in 2012, as most vulnerabilities have "High" (58%) and "Medium" (39%) severity.

In terms of the CVSS score metrics, more than half of the vulnerabilities have low Access Complexity, and many vulnerabilities can be exploited remotely to facilitate attack.

As information on vulnerability patching is not publicly disclosed, data for this research was obtained by Positive Technologies' specialists from vendors. The situation is worse in 2014 than in 2012, when most vulnerabilities (around 81%) were fixed quickly by vendors before they could be exploited or within 30 days of public disclosure. As of Q1 2015, only 14% of vulnerabilities were fixed within three months, 34% remained unpatched for more than three months, and the remainder, 52% of vulnerabilities, are still unpatched or the vendor provides no information on bug fixes at the time of publication.



ICS Patching

Vulnerabilities by Vendor 

Vendors and the number of vulnerabilities found in each is as follows: Siemens (124 vulnerabilities), Schneider Electric including Invensys after acquisition (96 vulnerabilities), Advantech (51 vulnerabilities), General Electric (31 vulnerabilities). However, the list of vulnerable products is far more extensive. The diagram below shows the Top List of “vulnerable” vendors, but the other 88 vendors are unified under "Others," and this represents a large percentage of the overall vulnerabilities.


 ICS Vulnerabilities by Vendor (wrt severity)

Geography of ICS Accessibility and Exploitability 

Our research uncovered a total of 146,137 ICS components that can be accessed via the web. The most common are Tridium (Honeywell) building automation systems, and power monitoring and control systems including SMA Solar Technology systems for solar power management. The most accessible components are PLCs/RTUs, followed by systems for inverter monitoring and control, and network devices and HMI/SCADA components.

More technologically advanced countries have higher levels of automation, thus the number of industrial systems exposed to the Internet is also high in these countries. Unsurprisingly, the most exposed systems are in the USA (33%) and Germany (with significant 19%). On the whole, Europe showed significant growth in accessibility of industrial systems through the web. By contrast, Asia hosts local systems, unlike the well known ICS components, which sometimes cannot be identified.


ICS Accessibility by Country

Further analysis of exposed ICS components reveals more than 15,000 vulnerable components. Most ICS are located in the USA followed by France, Italy, and Germany, mapping closely with prevalence. It should be noted that while the most common components exposed to the Internet contain less vulnerabilities, more than 10% of exposed ICSs are vulnerable.


 Geography of Vulnerable ICS Components

The full version of this research made by PT experts Evgeny Druzhinin, Ilya Karpov, Alexander Timorin, Sergey Gordeychik and Gleb Gritsay, will be published later at the Positive Research site: www.ptsecurity.com/research/

71 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. This comment has been removed by a blog administrator.

      Delete
    4. This comment has been removed by a blog administrator.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete
  41. This comment has been removed by a blog administrator.

    ReplyDelete
  42. This comment has been removed by a blog administrator.

    ReplyDelete
  43. This comment has been removed by a blog administrator.

    ReplyDelete
  44. This comment has been removed by a blog administrator.

    ReplyDelete
  45. This comment has been removed by a blog administrator.

    ReplyDelete
  46. This comment has been removed by a blog administrator.

    ReplyDelete
  47. This comment has been removed by a blog administrator.

    ReplyDelete
  48. This comment has been removed by a blog administrator.

    ReplyDelete
  49. This comment has been removed by a blog administrator.

    ReplyDelete
  50. This comment has been removed by a blog administrator.

    ReplyDelete
  51. This comment has been removed by a blog administrator.

    ReplyDelete
  52. This comment has been removed by a blog administrator.

    ReplyDelete
  53. This comment has been removed by a blog administrator.

    ReplyDelete
  54. This comment has been removed by a blog administrator.

    ReplyDelete
  55. This comment has been removed by a blog administrator.

    ReplyDelete
  56. This comment has been removed by a blog administrator.

    ReplyDelete
  57. This comment has been removed by a blog administrator.

    ReplyDelete
  58. This comment has been removed by a blog administrator.

    ReplyDelete
  59. This comment has been removed by a blog administrator.

    ReplyDelete
  60. This comment has been removed by a blog administrator.

    ReplyDelete
  61. This comment has been removed by a blog administrator.

    ReplyDelete
  62. This comment has been removed by a blog administrator.

    ReplyDelete
  63. This comment has been removed by a blog administrator.

    ReplyDelete
  64. This comment has been removed by a blog administrator.

    ReplyDelete