The number of vulnerabilities discovered in industrial control systems (ICS), particularly supervisory control and data acquisition (SCADA) systems, has increased significantly since the discovery of the Stuxnet computer worm raised the profile of ICS security, according to a recent study from Positive Technologies. Researchers found that 20 times more vulnerabilities were discovered between 2010 and 2012 than in the previous five years.
According to the study, 64 vulnerabilities were discovered in ICS/SCADA systems from 2010 to 2011, and 98 were reported from January to August of 2012. In contrast, only nine vulnerabilities were found from 2005 to 2010. Around one in five vulnerabilities goes unfixed for more than 30 days after detection.
Additionally, around 65 percent of vulnerabilities found in ICS/SCADA systems are rated as high or critical severity, with 25 percent rating as critical. This percentage is significantly higher than with most IT systems, researchers noted. Half of the vulnerabilities discovered allow a hacker to execute code, and, for 35 percent of vulnerabilities, an exploit exists. Researchers called attention to the fact that this percentage is also much higher than the rate for IT systems overall.
The study also examined the number of ICS accessible from the internet, determining that 40 percent of SCADA systems accessible from the Internet can be hacked by poorly trained malware users. The study specifically highlighted the United States and Europe for a “thoughtless attitude towards their security,” noting that these two regions have the highest percentage of ICS published to the internet. Fifty-four percent of systems available from the internet in Europe are vulnerable, as are 39 percent of such systems in the United States.
One-quarter of vulnerabilities in ICS are due to a lack of necessary updates, while one-third arise from configuration errors such as using default passwords, the study noted.
Strengthening ICS/SCADA information security
The rapid rise in reported vulnerabilities and exploits may be due in part to the fact that traditionally this area has seen little security oversight. The study noted that industry systems security is a relatively new point of interest. According to Dale Peterson, CEO of security consultancy Digital Bond, the actual number of exploits may be significantly higher.
“What you don’t see in [Positive Technologies'] numbers is that a tremendous amount of exploits are not disclosed,” he told Dark Reading. “They are known or covered by NDA, or whoever found them feels they should not be disclosed.”
Due to the fact that the systems in question are often decades old and only beginning to factor in modern security concerns, ICS security improvements are still in their early stages. Positive Technologies researcher and report co-author Sergey Gordeychik explained that the survey results were not entirely unexpected.
“ICS security now looks like Internet security in early 2000, and we can compare Stuxnet with CodeRed/Nimda worms,” he told Dark Reading. “It’s like a trigger.”
Spurred by recent developments, ICS vendors are improving their software security measures, Peterson told Dark Reading. However, traditional SCADA products would be improved by starting over with a secure development lifecycle that takes advantage of modern tools such as source code analysis to strengthen systems against security threats.
“[It's] almost a losing battle because you find one and patch it … but there are systemic problems in the product,” Peterson told Dark Reading. “It’s just going to be a never-ending flow of vulnerabilities until you actually go in and redesign that code. That’s what a lot of these vendors are facing: It’s like a bucket with a bunch of holes in it that’s rusting out. You just need to start over.”