Industrial Management Systems - 2016: Vulnerability and Availability

Automated process control systems (ICS) are used today everywhere - from smart homes to nuclear power plants. However, the complex organization of such systems, the requirement for continuity of the technological process and the ability to access the automated process control system via the universal Internet make them vulnerable to hacker attacks.

At the same time, the number of vulnerable components of the process control system does not decrease from year to year. Almost half of the vulnerabilities identified in 2015 have a high degree of risk, with the largest number of vulnerabilities found in the products of the most well-known manufacturers. In particular, vocabulary passwords and default passwords are used throughout the process control system, which makes it easy to access and take control of them.
')
Such findings are contained in the study of Positive Technologies, which analyzed data on the vulnerabilities of the industrial control system for the period from 2012 to 2015, as well as data on the availability of components of the industrial control system via the Internet in 2015. Below are the main results of this study.

Research methodology

Information from publicly available sources, such as knowledge bases of vulnerabilities (ICS-CERT, NVD, CVE, Siemens Product CERT, Positive Research Center), notifications of manufacturers, collections of exploits, reports of scientific conferences, publications on specialized sites and in blogs. We determined the degree of risk of vulnerability of the ICS components based on the second version CVSS value.

Data on the availability of automated process control system components on the Internet was collected by scanning ports of resources available on the Internet using public search engines: Google, Shodan, Censys. After collecting the data, an additional analysis was conducted on the subject of interrelation with the process control system. The specialists of Positive Technologies have compiled a database of identifiers for the automated process control system consisting of approximately 800 entries, which make it possible to draw a conclusion on the basis of the banner about the product used and its manufacturer.

results

The study examined the vulnerabilities of components of about 500 manufacturers of automated control systems. As a result, 743 vulnerabilities were revealed in the process control system. In 2015, experts from Positive Technologies independently discovered 7 new vulnerabilities (two of them have a high degree of risk), details of which were sent to the manufacturer.

Recall that according to our previous study “ Safety of Industrial Systems in Figures ”, from 2009 to 2012 the number of detected vulnerabilities of the industrial control system increased by 20 times (from 9 to 192). In recent years (2012–2015), the number of vulnerabilities found annually remains stable (about 200). This can be explained by the increased interest of equipment manufacturers to timely identify and eliminate vulnerabilities and interact with researchers.



The total number of vulnerabilities found in the components of the process control system

The leaders in the ranking of the most vulnerable components of the industrial control system are the products of Siemens, Schneider Electric and Advantech . However, the number of vulnerabilities detected depends on the prevalence of the product and whether the manufacturer adheres to the policy of responsible disclosure. As a result, this rating does not directly indicate the security of specific solutions of a particular manufacturer.



The number of vulnerabilities in the components of industrial control systems of various manufacturers

The greatest number of vulnerabilities was found in SCADA components and programmable logic controllers , network devices for industrial use and engineering software, as well as in components of human-machine interfaces and remote access and control terminals, which corresponds to the data of the previous report for 2012.

The main share of vulnerabilities has a high and medium (47%) degree of risk. At the same time, if we assess the risk level of vulnerability based on the possibility of implementing the main threats to information security (breach of confidentiality, integrity and availability), then more than half of the identified vulnerabilities have a high metric for such an important indicator as accessibility violation . Together with the possibility of remote exploitation of vulnerabilities and weak authentication mechanisms, this greatly increases the risk of attacks on the automated process control system.



The distribution of vulnerabilities by risk

Since data on the process of eliminating vulnerabilities are not published, the study used data obtained by experts from Positive Technologies directly from the manufacturers. Detailed information on the identified vulnerabilities that have already been addressed by the manufacturers is presented on the company's website . According to the data of 2015, only 14% of vulnerabilities were eliminated within three months , 34% were eliminated more than three months, and the remaining 52% of errors were either not corrected at all, or the manufacturer does not report the time of elimination.



The proportion of eliminated vulnerabilities in the components of industrial control systems

However, currently only 5% of known vulnerabilities have published exploits. This figure dropped significantly compared with 2012: then it was possible to find exploits for 35% of vulnerabilities.

The greatest number of vulnerabilities are of such types as denial of service ( DoS ), remote code execution ( Code Execution ) and buffer overflow ( Overflow ). The exploitation of such vulnerabilities by an attacker could lead to the failure of any equipment or its unauthorized operation, which, given the requirements for the normal operation of the process control system, is unacceptable.



Common Vulnerability Types of Components of Industrial Control Systems

As of March 2016, 158,087 ICS components available on the Internet were detected. The largest number of components of the automated process control system is available using the HTTP, Fox, Modbus and BACnet protocols, and in most cases a dictionary password is used for authorization in such systems.

The largest number of available components of the automated process control system was found in the USA (43%), Germany (12%), France, Italy and Canada (approximately 5%). The low number of automated process control systems found in Asia is associated with the use of local and little-known solutions on the world market. Russia ranks 31st with 600 available components (less than 1% of the total number of found components).



Number of ICS components available on the Internet (by country)

According to the prevalence of components of the process control system, Honeywell (17%) , SMA Solar Technology (11%) , Beck IPC (7%) are leading. The most common components on the Internet are the Tridium building automation systems (25,264) , part of the Honeywell group of companies, as well as energy monitoring and management systems, including those based on solar cell technology from SMA Solar Technology (17,275) .

The study also found automated systems that control the production processes of various enterprises, transport and water supply. In many cases, the attacker does not need to have any special knowledge to gain access to them: among the components of the automated process control system found on the Internet, only two-thirds can be called protected .



The proportion of vulnerable and safe components of the process control system accessible via the Internet

The data obtained indicate the lack of adequate protection of the process control system against cyber attacks in 2016. Even minimal preventive measures, such as the use of complex passwords and the disconnection of components of the automated process control system from the Internet, will significantly reduce the likelihood of attacks with significant consequences.

The full text of the study “Safety of the Process Control System in Figures - 2016” can be found at www.ptsecurity.ru/research/analytics