ICS Flaw Disclosures at High Levels Since Stuxnet Attack, Report Says
(SecurityWeek) – The number of publicly disclosed vulnerabilities affecting industrial control systems (ICS) has increased considerably since the Stuxnet attack, shows a report published on Wednesday by threat intelligence firm Recorded Future.
Researchers have uncovered numerous vulnerabilities in ICS products over the past years and experts have often warned that attacks against critical infrastructure companies housing such systems can have devastating effects. However, so far there have been only a few reports of damaging ICS attacks, the most notable being the 2011 Stuxnet operation targeting Iran’s nuclear facilities.
Recorded Future has conducted an analysis of roughly 400 issues documented in NIST’s vulnerability database. The figures show that there has been a sharp increase in ICS vulnerability disclosures following the Stuxnet incident.
Before 2011, less than a dozen ICS flaws were disclosed each year. In 2011, the number increased to nearly 50, and it reached more than 100 in 2012. ICS vulnerability disclosures have been at high levels ever since, with almost 50 new security holes revealed in 2015 until mid-July, the report shows.
Siemens and Schneider Electric account for roughly half of all the ICS security bugs disclosed since 2007, but that’s not surprising considering that these are among the largest industrial automation vendors in the world and many security researchers are analyzing their products.
While the number of flaws found in SIemens and Schneider products remain at high levels, a decreasing trend has been observed in the case of other vendors, such as General Electric and ABB. Recorded Future believes these trends likely reflect vendors’ level of commitment to cyber security.
The intelligence firm has determined that the highest number of vulnerabilities have been identified in ICS products such as Siemens SIMATIC, Siemens WinCC, Advantech Broadwin, Schneider WonderWare, and GE Proficy.
Recorded Future’s web intelligence engine structures data around cyber security events, actors, locations, targets and time from over 8 billion data points across 700,000 web sources. This has allowed the company to determine ICS exploit trends between 2010 and 2015.
If in 2010 there were only six ICS exploits available, the number more than tripled by 2014 and the situation doesn’t seem to be improving this year — there were already 14 ICS exploits as of mid-July. The highest number of exploits available since 2010 target Siemens, Schneider Electric, Advantech, CoDoSys and DATAC products. Many of the PoCs and exploits come from researchers and organizations in the United States (23%), Russia (17%), and Malta (17%).
In addition to the existence of vulnerabilities and exploits, critical infrastructure companies face another problem, namely the exposure of employee credentials. A report published last year by Recorded Future revealed that login credentials from 221 of the Fortune 500 organizations had been found on paste sites and forums. This list included 18 major public utilities and 15 energy companies. In Europe, credentials from 17 chemical, 17 industrial engineering, and 12 oil and gas companies were leaked online.
“This lack of actual attacks compared to the level of fear and paranoia probably makes sense since state-backed attacks on critical infrastructure are perceived to be close to war, and the actual motivations for attackers such as criminal gangs and hacktivists have been perceived as low,” Recorded Future noted in its report. “Criminal actors are motivated by financial gains and have historically been focused on financial infrastructure – there has been little potential for financial gains in ICS attacks.”
On the other hand, the intelligence firm noted that the combination of continued growth in ICS vulnerabilities, the existence of exploits, and exposed employee credentials for critical infrastructure companies leaves such organizations open to extortionist and destructive attacks.
“Recently we have observed novel patterns of attacks that are destructive and extortionist in nature – such as the Sands attack, Sony attack, bank extortion by groups like Rex Mundi, DDB4C threatening Bitcoin exchanges with DDoS attacks unless they pay protection money, and the more prevalent Cryptolocker strain of malware,” Recorded Future noted. “It is likely too early to claim a change in cyber attack behavior – but this is something new that is unlikely to stay within the domains we’ve seen so far – and ICS is a perfect place to take this behavior.”
The complete report, titled “Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers,” is available online.