English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    ICS/SCADA

    Critical infrastructure on the frontline

    Vulnerability Management

    Stop being an easy target

    Financial Services

    Can your security keep up with you?

    Protection from targeted attacks (anti-apt)

    Early detection, rapid investigation

    PT Industrial Cybersecurity Suite

    PT ICS is an integrated platform for cyberthreat detection and response in industrial systems

    Utilities

    Industrial-grade cybersecurity

    ERP Security

    Take control of your ERP security

    Security Compliance

    Turn policies into protection

    View all →
  • Products
    MaxPatrol 8

    Vulnerability and compliance management system.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT Network Attack Discovery

    NDR system to detect attacks on the perimeter and inside the network.

    PT Sandbox

    Advanced sandbox with customizable virtual environments

    XSpider

    Vulnerability scanner.

    MaxPatrol VM

    Next-generation vulnerability management system.

    MaxPatrol SIEM All-in-One

    Full-featured SIEM for mid-sized IT infrastructures.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT BlackBox

    Dynamic application security testing tool

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    ATM Security Assessments

    Uncover Your Weaknesses

    Web Application Security Services

    Black Box and White Box Analysis

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Penetration Testing

    A Comprehensive Approach

    Forensic Investigation Services

    Prevent Future Incidents

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    View all →
  • Analytics
    Threatscape
    PT ESC Threat Intelligence
    Cybersecurity glossary
    Knowledge base
    View all →
  • Partners
    Authorized Partners
    Distributors
    Technology Partners
    View all →
  • About
    Clients
    Press
    News
    Events
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • ICS Security: 2016 year in review

ICS Security: 2016 year in review

Published on May 15, 2017
  • ICS/SCADA

These days, industrial control systems are found in places quite different from traditional industrial settings. ICS components are integrated into everything from nuclear power plants, to smart home systems. With rapid growth in ICS integrators and a limited number of major vendors to supply them, the same products may be used both at critical infrastructure facilities and run-ofthe-mill private companies. An intruder who finds an ICS vulnerability at one company can use the same vulnerability against targets all over the world. Even worse, vendors and users often neglect ICS security. Because of the need for uninterrupted uptime of critical systems (such as industrial protocols, operating systems, and database management systems), ICS software often goes years without updates. The combination of these factors has created a dangerous situation with an evolving threat landscape.

Based on our data, over 100 vulnerabilities in 2016 were detected in ICS components from leading manufacturers, primarily Siemens, Advantech, Schneider Electric, and Moxa. Most of these vulnerabilities were of critical and high risk (60%), typically involving Remote Code Execution, Denial of Service, and/or Information Disclosure. The majority of vulnerabilities are found in dispatch and monitoring systems (HMI/SCADA).

As of early 2017, over 160,000 ICS components could be accessed over the Internet. The largest numbers were found in the USA (31%), Germany (8%), and China (5%). As in previous years, the most commonly encountered Internet-accessible components were Tridium building automation systems, SMA Solar Technology power monitoring and management systems, and IPC@CHIP by Beck IPC.

Detailed results of our analysis of vulnerabilities and Internet-accessible ICS components are given below.

VULNERABILITY ANALYSIS

Materials and methods

Information was drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, exploit databases and packs, scientific papers, and posts on security websites and blogs.1

The following vulnerability knowledge bases were used:

  • ICS-CERT (ics-cert.us-cert.gov)
  • NVD (nvd.nist.gov), CVE (cve.mitre.org)
  • Positive Research Center (securitylab.ru/lab)
  • Siemens Product CERT (siemens.com/cert)
  • Schneider Electric Cybersecurity Support Portal (schneider-electric.com/b2b/en/support/ cybersecurity/security-notifications.jsp)

The severity of vulnerabilities in ICS components was assessed based on the Common Vulnerability Scoring System (CVSS) version 3 (first.org/cvss).

Vulnerability analysis included the hardware and software of leading ICS vendors. However, our results do not cover vulnerabilities in any public-domain software (such as OpenSSL or GNU) that may have been used in the development of ICS applications.

Trends

Compared to the previous year, the number of vulnerabilities found in the products of leading manufacturers decreased to 115 in 2016. However, this is not a complete list of vulnerabilities, since some of them can be made public only after the corresponding patches have been released. Positive Technologies experts have informed ICS vendors (Siemens, Schneider Electric, and others) about 13 additional vulnerabilities that have not yet been published as of when this article was written.

Total number of ICS vulnerabilities found
Total number of ICS vulnerabilities found

Vulnerabilities by vendor

As in 2015, Siemens, Advantech, Schneider Electric, and industrial network equipment manufacturer Moxa are the leaders in reported ICS vulnerabilities. Keep in mind that this number (published vulnerabilities) depends on the prevalence of a vendor’s products and on whether the vendor practices responsible disclosure. Therefore, these figures cannot be used to judge the degree of security of solutions from any particular vendor. On the contrary, products from vendors that do not publish information on detected and remediated vulnerabilities are likely to be more vulnerable.

Vulnerabilities among major ICS component vendors
Vulnerabilities among major ICS component vendors

Vulnerabilities by component

The majority of vulnerabilities published in 2016 were detected in dispatch and monitoring systems (HMI/SCADA). Remote Code Execution, Denial of Service, and Information Disclosure vulnerabilities were the most frequent types.

Number of vulnerabilities in various ICS components
Number of vulnerabilities in various ICS components
Common types of vulnerabilities in ICS components
Common types of vulnerabilities in ICS components

According to CVSSv3, most of the vulnerabilities can be exploited remotely, without obtaining any privileges.

Breakdown of vulnerabilities by CVSS criteria
Breakdown of vulnerabilities by CVSS criteria

Risk level

More than half of detected vulnerabilities are of critical and high severity, based on CVSSv3 scoring.

Distribution of vulnerabilities by risk
Distribution of vulnerabilities by risk

Vulnerabilities detected by Positive Technologies

In 2016, vendors confirmed and remediated 11 new vulnerabilities detected by our company in ICS components manufactured by Siemens, Advantech, Schneider Electric, General Electric, and Rockwell Automation. Two of the detected vulnerabilities were critical; two were of high severity.

Table 1. Examples of detected vulnerabilities
Table 1. Examples of detected vulnerabilities

AVAILABILITY OF ICS COMPONENTS ON THE INTERNET

Materials and methods

Researchers used only passive methods to collect information on the online availability of ICS components. This meant scanning Internet-accessible ports using publicly available search engines: Google, Shodan (shodan.io), and Censys (censys.io).

This data was then analyzed to determine a relationship to ICS equipment. Positive Technologies experts created a database of ICS identifiers, consisting of approximately 800 entries, for determining the product and relevant vendor from the device’s banner.

Prevalence

The research revealed 162,039 ICS components available online. Of these, 4,515 components (3%) are used in the energy sector and 38,580 (24%) are used in building automation.

Looking at the protocols used by the detected ICS components, the largest single protocol was HTTP, which is consistent with recent years.

Importance of encryption

Unencrypted storage of passwords can result in an attacker gaining control of an ICS/SCADA system. The attacker can log in like any other user and start affecting operations—leading to economic losses, equipment failure, or even serious accidents. By gaining passwords to databases, an attacker is able to illegitimately modify information and create the preconditions for malfunction and/or physical harm.

Number of Internet-accessible ICS components (by protocol)
Number of Internet-accessible ICS components (by protocol)

Geographic distribution

Also consistent with recent years, the leader in the number of components found is the United States (31% of the total) by a wide margin. Germany is second (8%), followed by China (5%), which was not even in the top 10 countries the previous year. One likely reason for the large number of ICS components found in these countries is the popularity of building automation systems.

Top 10 countries by number of Internet-accessible ICS components
Top 10 countries by number of Internet-accessible ICS components

Prevalence of ICS components (by vendor)

Honeywell's Niagara Framework is still the software most commonly found on Internetaccessible equipment. Sunny WebBox by SMA Solar Technology is close behind in second place, with German company Beck IPC and its IPC@CHIP in third place.

Niagara Framework by Tridium, a Honeywell company, is one of the most popular systems for smart home automation. Sunny WebBox solar power monitoring and management systems by SMA Solar Technology are particularly popular in European countries. IPC@CHIP by Beck IPC is popular thanks to its relatively low price, multifunctionality, embedded Ethernet controller with TCP/IP stack support, and built-in web server.

Number of Internet-accessible ICS components (by country)
Number of Internet-accessible ICS components (by country)
Number of Internet-available ICS components (by vendor)
Number of Internet-available ICS components (by vendor)

Interesting fact

Interface converters and network devices are of major interest to intruders. Attacks on these devices do not require in-depth knowledge of target processes, but have the potential to cause breakdowns and serious accidents.

Number of Internet-accessible ICS components (distribution by product)
Number of Internet-accessible ICS components (distribution by product)

Types of ICS components found

We classified ICS components by type based on their entries in the identification database.

Table 2. Share of Internet-accessible ICS components
Table 2. Share of Internet-accessible ICS components

SUMMARY

The number of vulnerabilities made public by the major ICS vendors significantly decreased in the last year, since many vulnerabilities had been remediated already in previous years. However, over half of the detected vulnerabilities were of critical and high risk, and these vulnerabilities are the ones that vendors attempt to remediate first. Leading vendors have already started paying more attention to detection and remediation of vulnerabilities during both the development and operation stages. Active cooperation between vendors and security researchers is critical for ensuring greater security for ICS overall.

At the same time, the number of Internet-accessible ICS components is growing. The majority of them were detected in the countries with the highest levels of automation (USA, Germany, China, France, and Canada). Most Internet-accessible ICS components are multifunctional and used for automation of a number of systems. Dictionary or default passwords are often used for remote access to ICS components, making it trivially easy for an intruder to take control. The most basic preventive measures—such as disconnecting ICS components from the Internet and using strong passwords—help to significantly decrease the likelihood of attacks.

We urge regular ICS security audits to identify possible attack vectors and develop an effective security strategy. In addition, vendors should be informed in a timely manner about new vulnerabilities and undeclared features of ICS components as they are discovered during ICS operation.

  1. digitalbond.com, scadahacker.com, immunityinc.com/products/canvas, exploit-db.com, rapid7.com/db
Download PDF
Related articles
  • September 1, 2021 Information security risks at industrial companies
  • February 1, 2018 ICS Security: 2017 in review
  • May 3, 2018 Industrial companies: attack vectors
Share:
Link copied
Related articles
February 1, 2018

ICS Security: 2017 in review

April 11, 2019

ICS vulnerabilities: 2018 in review

May 3, 2018

Industrial companies: attack vectors

All articles
Solutions
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Protection from targeted attacks (anti-apt)
  • PT Industrial Cybersecurity Suite
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol 8
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Network Attack Discovery
  • PT Sandbox
  • XSpider
  • MaxPatrol VM
  • MaxPatrol SIEM All-in-One
  • PT MultiScanner
  • PT BlackBox
Services
  • ICS/SCADA Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • PT ESC Threat Intelligence
  • Cybersecurity glossary
  • Knowledge base
Partners
  • Authorized Partners
  • Distributors
  • Technology Partners
About
  • Clients
  • Press
  • News
  • Events
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
Find us:
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap