Positive Technologies Discovers Wide-Scale Vulnerabilities within Industrial Control Systems

More than 40% of the Industrial Control Systems currently accessible via the Internet can be successfully hacked by an amateur. That’s the startling conclusion from a new report issued by Positive Research, the research arm of Positive Technologies.

The study looked at a wide range of ICS and SCADA (supervisory control and data acquisition) systems which are broadly used to control critical systems such as high speed railway and subway networks, oil and gas pipelines, nuclear power stations and water supply plants. The vital role played by these systems makes them a particularly attractive target for malicious hackers and cyber terrorists do to their potential to cause large-scale disruption.

The analysis by Positive Research revealed at least 42% of the systems available through the internet contain vulnerabilities that can easily be exploited by an attacker; while only 17% of them were found to be fully secure. Remarkably, the majority of the security issues uncovered were related to configuration errors (for example the use of default passwords) and the failure to install software updates.

This comprehensive research study was conducted over a period of seven years from 2005 to October 2012 and found that the number of threats has risen sharply in recent years. Our analysis revealed that only nine vulnerabilities were discovered between 2005 and early 2010; while in 2011 alone some 64 vulnerabilities were detected – including the now notorious Stuxnet worm. By 2012 the picture was growing even grimmer - 98 new vulnerabilities found in the first eight months of the year with about 65% of these categorised as high-risk or critical.

The report also reveals significant growth in the number of exploits (ready-to-use-tools for taking advantage of specific vulnerabilities) that were made public during the period studied - greatly increasing the chances of attack by an amateur hacker. During the period from 2011 to September 2012, 50 exploits were published. That’s six times as many as were published from 2005 to 2010. At present, 35% of all known ICS vulnerabilities have exploits that are available as single utilities, parts of penetration testing software or are described in security bulletins.

Sergey Gordeychik, EVP Product Strategy at Positive Technologies, commented: "There are widely-differing opinions within the industry on the general level of ICS security. Some people claim that SCADA systems are defenseless; while others insist there is no need to defend them since they are impossible to hack. We hope our research will draw attention to how vulnerable critical infrastructure systems actually are and spark the conversation within the industry, so that together we can solve these most serious problems.”