Industrial Control Systems (ICS) are the technology workhorses responsible for powering the electric grid and utilities, water treatment plants, oil and gas production, food and beverage manufacturing, and transportation systems, among many others. Our society relies on these systems more than we know to keep life running smoothly.
However, a new research report by FireEye indicates that organizations operating vulnerable ICS may be leaving their industrial environments exposed to possible exploit by outside attackers or malicious insiders.
The FireEye iSight Intelligence 2016 ICS Vulnerability Trend Report is headlined “OVERLOAD – Critical Lessons from 15 years of ICS Vulnerabilities.” It examines 1552 ICS vulnerabilities from January 2000 through April 2016. The report covers trends in ICS vulnerability disclosures and device types, patch availability, and exploitation in the wild. Here is a summary of the key highlights and guidance.
Nearly Every ICS Vendor Is Affected by Vulnerabilities
There are 123 vendors who have been affected by ICS vulnerability disclosures. Chances are some of these systems exist within your organization’s ICS environment. The report suggests that ICS asset owners/operators could become overwhelmed with vendor notifications, assessment and implementation.
As the report warns: “The flood of vulnerabilities is likely to overwhelm ICS asset owners as they struggle to keep up with vulnerability notifications, assess associated risk, and implement mitigation.”
ICS Vulnerabilities on the Rise
The report chart below indicates that 90% of the examined ICS vulnerabilities occurred from 2011-2015. FireEye suggests that since Stuxnet was publicly disclosed in mid-2010, it could have triggered increased interest in discovering control system vulnerabilities and exploits.
Also, between 2014 and 2015 there is a 49% increase, but the report explains that this was anomalous given a high number of vulnerabilities concentrated between just two vendors (OSISoft and Yokogawa) in 2015. They foresee the prior years’ average of 5% will likely be the trend going forward.
Here’s an opinion. FireEye’s trend forecast of 5% on future ICS vulnerabilities may be somewhat conservative. New cyber security requirements within certain industries, regulations, new and advanced technologies designed for ICS environments and increased security assessments may help uncover more vulnerabilities as well as currently unknown breach activity underway by adversaries. If these conditions do occur, there may be a higher than 5% increase for ICS vulnerabilities in future years.
Patches Not Available at Public Disclosure
Of the 1552 vulnerabilities examined by FireEye, 516 (33%) had no patch available at the time of disclosure. This means one-third were essentially zero-day vulnerabilities, and FireEye foresees this trend continuing. Given slow patch times or no vendor fixes, threat actors have ample opportunity to exploit ICS environments.
ICS Attacker’s Holy Grail – Unrestricted Access to Level2
FireEye iSight Intelligence uses a simplified Purdue Model to classify ICS vulnerabilities. The model places systems and equipment and their functions into specific Zones (Levels). Their findings were that most ICS vulnerability disclosures since 2013 affect Level2 as seen in the chart below.
FireEye thinks this has been such a popular Level for targeted research and exploits because other information technologies used within this Level such as mainstream operating systems and databases are already familiar to the researchers. In addition these are relatively inexpensive components and easy to acquire.
One of the most important points in this report for ICS security professionals is that “once an attacker has unrestricted access to Level2, further exploits and vulnerabilities become less important because devices that directly control the processes, such as HMI and engineering workstations reside there [in Level2].”
FireEye describes an example from the Ukraine utilities attack showing that attackers with access to the HMI can freely open and close switches and actuators without needing to exploit additional vulnerabilities.
Additionally, unauthenticated protocols will allow any connected computer to interact with the control process, such as when Modbus/TCP is in use any device on the network can be allowed to alter a set point within the process logic executed by the controller.
Summary and Guidance
This report has many other excellent insights for industrial control engineers, architects, plant managers, and even IT security teams seeking to give assistance to ICS operations but who need a better understanding of the challenges, vulnerabilities, and threats.
FireEye iSight Intelligence offers this short list for those seeking to get started addressing ICS vulnerabilities.
- Know Your Assets – Prepare your security teams with an accurate understanding of control system assets, their locations, and functions. Assure you have an accurate asset inventory.
- ICS Threat Intelligence – Obtain structured vulnerability and patch feeds that cover a wide variety of sources.
- Vulnerability Tracking Against Assets – Match the vulnerability disclosures and patch announcements against your asset inventory.
- Track Vulnerable and Unpatched Products – Know your old and legacy equipment currently in use within the industrial environment. There are technologies available to mitigate ICS systems with weaknesses that cannot be patched.
- Prioritize Vulnerability Remediation – Seek to prioritize vulnerability remediation efforts by considering ICS architecture location, simplicity of exploitation, and possible impact on the controlled industrial process.