Friday, October 7, 2016

Industrial Control Systems 2016 Report: Connected and Vulnerable

Industrial control systems (ICS) are part and parcel of everyday life, from smart homes to nuclear power stations. ICS bridge the gap between the digital world and the physical world by interpreting the commands that control turbines, switches, valves, and more. Because these systems are complex, critical to infrastructure, and often Internet-connected, they make a very tempting target for hackers.

The number of vulnerable ICS components grows every year. Nearly half of the vulnerabilities identified in 2015 are high-risk – and the majority of vulnerabilities were found in the products of the most well-known vendors. Widespread poor security practices, such as default passwords and dictionary-guessable passwords, make it easy for outsiders to access the systems and gain control.

These are the sobering conclusions of research by Positive Technologies, which analyzed data on ICS vulnerabilities from 2012 to 2015, as well as information on the Internet availability of ICS components in 2015. Below is a summary of the findings.


The source material consisted of publicly available information such as vulnerability databases (ICS-CERT, NVD, CVE, Siemens Product CERT, Positive Research Center), vendors’ advisories, exploit databases and packs (, etc), conference presentations, and publications on blogs and industry sites. CVSSv2 was used to assess vulnerability severity.

To collect information on the online availability of ICS components, researchers scanned Internet-accessible ports using publicly accessible search engines: Google, Shodan, and Censys. Once collected, the data was subjected to additional analysis to determine a relationship to ICS equipment. Positive Technologies specialists created a database of ICS identifiers, consisting of approximately 800 entries that allow inferring the product and vendor from the banner.


In total, vulnerabilities in components from approximately 500 ICS vendors were considered. 743 vulnerabilities were found in all. In 2015, experts at Positive Technologies independently discovered 7 new vulnerabilities (2 of them high-risk) and notified the relevant vendors.

As noted in our previous report, SCADA Safety in Numbers, between 2009 and 2012 the number of discovered ICS vulnerabilities soared by over 20 times (from 9 to 192). In recent years (2012–2015), the number of vulnerabilities discovered each year has remained stable at approximately 200. This is the result of increased interest by vendors in addressing vulnerabilities and interacting with the security community.

Total number of vulnerabilities discovered in ICS components 

The vendors of the most vulnerable ICS components, in terms of number of vulnerabilities found, are Siemens, Schneider Electric, and Advantech. However, these numbers paint only a partial picture: they depend on the prevalence of the product and on whether the vendor practices responsible disclosure. Therefore, these figures cannot be used to judge the degree of security of particular solutions from any particular vendor.

Number of vulnerabilities in ICS components (by vendor)

The largest number of vulnerabilities was identified in SCADA components and programmable logic controllers (PLCs), industrial network devices and engineering software, human–machine interfaces (HMIs), and remote access and management terminals. These results show little change from 2012.

Most vulnerabilities are of either high or medium risk (47% high, 47% medium). Looking at the degree of risk based on the feasibility of threats to confidentiality, integrity, and availability, over half of the vulnerabilities score as high-risk on the important availability metric. Threats to availability, combined with the possibility of remote exploitation and weak authentication mechanisms, substantially increase the risk of damaging ICS attacks.

Distribution of vulnerabilities (by risk)

Data on vulnerability fixes is not published, so Positive Technologies researchers relied on information provided by the vendors themselves. Detailed information on the vulnerabilities already fixed by vendors is provided on the company website. 2015 data shows that only 14% of vulnerabilities were resolved within three months, while 34% waited over three months and the remaining 52% either were never repaired, or the date of repair was not given by the vendor.

Repair timeline for vulnerabilities identified in ICS components

However, published exploits are available for only 5% of known vulnerabilities. This is an improvement over 2012, when exploits could be found for 35% of vulnerabilities.

Most vulnerabilities fall into the categories of DoS, Remote Code Execution, and Buffer Overflow. Exploitation of these vulnerabilities by an intruder could cause equipment failure or unsanctioned operation of the equipment, which is equally undesirable given the reliability requirements and sensitivity of ICS components.

Most common types of vulnerabilities in ICS components

As of March 2016, 158,087 ICS components were available online. Most of these components were accessible via HTTP, Fox, Modbus, and BACnet, and in most cases, a dictionary password was used for authentication.

The largest numbers of Internet-available ICS components were found in the USA (43%), Germany (12%), and France, Italy, and Canada (approximately 5% each). The low number of ICS components found in Asia is due to the use of local solutions that are little known outside of their home markets. Russia placed 31st, with 600 available components (less than 1% of the total).

Number of Internet-available ICS components (by country)

The largest vendors of the found Internet-available ICS components are Honeywell (17%), SMA Solar Technology (11%), and Beck IPC (7%). Among Internet-available components, the most common are building automation systems from Tridium, a Honeywell company (25,264), and energy management systems, including photovoltaics from SMA Solar Technology (17,275).

Positive Technologies researchers were also able to “find“ automated control systems responsible for manufacturing processes, transportation, and water supply. In many cases, intruders would not even need any special knowledge to gain access. Of the ICS components found online, only two thirds can be reasonably described as secure.

Breakdown of vulnerable vs. secure Internet-available ICS components 

These results suggest that ICS security from cyberattacks in 2016 is still deficient. Even basic security hygiene – such as use of complex passwords and disconnecting ICS components from the Internet – goes a long way toward preventing attacks with potentially enormous consequences.

Full text of the “Security Trends and Vulnerabilities Review. Industrial Control Systems” report is available at

No comments:

Post a Comment