English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    ICS/SCADA

    Critical infrastructure on the frontline

    Vulnerability Management

    Stop being an easy target

    Financial Services

    Can your security keep up with you?

    Protection from targeted attacks (anti-apt)

    Early detection, rapid investigation

    PT Industrial Cybersecurity Suite

    PT ICS is an integrated platform for cyberthreat detection and response in industrial systems

    Utilities

    Industrial-grade cybersecurity

    ERP Security

    Take control of your ERP security

    Security Compliance

    Turn policies into protection

    View all →
  • Products
    MaxPatrol 8

    Vulnerability and compliance management system.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT Network Attack Discovery

    NDR system to detect attacks on the perimeter and inside the network.

    PT Sandbox

    Advanced sandbox with customizable virtual environments

    XSpider

    Vulnerability scanner.

    MaxPatrol VM

    Next-generation vulnerability management system.

    MaxPatrol SIEM All-in-One

    Full-featured SIEM for mid-sized IT infrastructures.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT BlackBox

    Dynamic application security testing tool

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    ATM Security Assessments

    Uncover Your Weaknesses

    Web Application Security Services

    Black Box and White Box Analysis

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Penetration Testing

    A Comprehensive Approach

    Forensic Investigation Services

    Prevent Future Incidents

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    View all →
  • Analytics
    Threatscape
    PT ESC Threat Intelligence
    Cybersecurity glossary
    Knowledge base
    View all →
  • Partners
    Authorized Partners
    Distributors
    Technology Partners
    View all →
  • About
    Clients
    Press
    News
    Events
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • ICS vulnerabilities: 2018 in review

ICS vulnerabilities: 2018 in review

Published on April 11, 2019
  • ICS/SCADA

Contents

  • Introduction
  • Abbreviations
  • Analysis of vulnerabilities in ICS components
  • Availability of ICS components on the Internet
  • Conclusion

Introduction

2018 was rich in ICS incidents. Details were published regarding use of the Triton cyberweapon, which, like Stuxnet and Industroyer, targets ICS equipment. In addition, several high-profile attacks struck industrial companies. Boeing announced it was hit by WannaCry and a few months later, the same virus shut down several plants of Taiwan Semiconductor Manufacturing Company. Although the attacks targeted IT infrastructure, their consequences also affected operational technology used for production. In effect, attackers do not always need specific knowledge about a target's operations in order to disrupt them.

After exploiting vulnerabilities in the IT infrastructure, hackers can gain access to the industrial network. According to our research, an internal attacker already on the corporate information system would have been able to penetrate the industrial network in 82 percent of cases. At that point, the attacker has a number of ways to perform malicious acts against ICS components, and the most common one is to exploit known vulnerabilities. That is why it is so important to know about the vulnerabilities existing in ICS equipment, as this allows businesses to assess the risks in time and take appropriate protection measures.

This research outlines known vulnerabilities in ICS components and the availability of such components on the Internet, with data to show how the situation has evolved over the last few years.

Abbreviations

DCS—distributed control systems

HMI—human–machine interface

ICS—industrial control system

PLC—programmable logic controller

RTU—remote terminal unit

SCADA—supervisory control and data acquisition

Analysis of vulnerabilities in ICS components

Materials and methods

Information was drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, scientific papers, and posts on security websites and blogs.

The following vulnerability knowledge bases were used:

  • ICS-CERT (ics-cert.us-cert.gov);
  • NVD (nvd.nist.gov), CVE (cve.mitre.org);
  • Positive Research (securitylab.ru/lab).

The severity of vulnerabilities in ICS components was assessed based on the Common Vulnerability Scoring System (CVSS) version 3 (first.org/cvss).

Our research includes vulnerabilities published in 2018, as well as additional information about vulnerabilities found by our experts in 2018 and published in 2019.

We only considered vulnerabilities found in the equipment of leading manufacturers of ICS components.

Trends

The number of new vulnerabilities in ICS components rose by 30 percent compared to 2017. At the time of this research, complete information had been published about 243 vulnerabilities, with 14 vulnerabilities still pending analysis.

Detailed analysis of a device or system often reveals not just one but several vulnerabilities. For example, our experts uncovered 12 vulnerabilities in the APROL industrial control system from B&R Automation.1

Figure 1. Total number of vulnerabilities found in ICS components
Figure 1. Total number of vulnerabilities found in ICS components

Vulnerabilities published in 2018: distribution by manufacturer

Schneider Electric remained the leader in number of new vulnerabilities in 2018, even though the number of vulnerabilities found in Siemens equipment almost doubled compared to the previous year. The top spots of the two companies can be explained by their wide-ranging, popular product lines.

Figure 2. Vulnerabilities published in 2018: distribution by main ICS manufacturers
Figure 2. Vulnerabilities published in 2018: distribution by main ICS manufacturers

Vulnerabilities by component type

The distribution of vulnerabilities by ICS component type changed significantly in 2018. In 2017, the majority of vulnerabilities were found in HMI/SCADA components. But in 2018, vulnerabilities were almost evenly distributed among HMI/SCADA, PLC/RTU, and industrial network equipment.

The percentage of vulnerabilities in PLC/RTU components rose by 7 percent compared to 2017. Our experts found 10 vulnerabilities in PLC modules from Siemens and Schneider Electric.

Figure 3. Vulnerabilities in ICS component types (percentage of vulnerabilities)
Figure 3. Vulnerabilities in ICS component types (percentage of vulnerabilities)

Vulnerabilities by types

A significant share of vulnerabilities involve improper authentication or excessive privileges. More than half of these vulnerabilities (64%) can be exploited remotely.

Figure 4. Types of vulnerabilities in ICS components
Figure 4. Types of vulnerabilities in ICS components

Vulnerabilities by impact

About 75 percent of vulnerabilities have the potential to affect ICS availability in full or part. Exploitation of these vulnerabilities, for example in network equipment, could disturb network communication and operations: network equipment is a key ICS element that shuttles commands between components.

Figure 5. Vulnerabilities by CVSS metrics (percentage of vulnerabilities)
Figure 5. Vulnerabilities by CVSS metrics (percentage of vulnerabilities)

Distribution of vulnerabilities by severity

More than half of detected vulnerabilities were of critical or high severity, based on CVSSv3 scoring. Such vulnerabilities grew by 17 percent compared to the previous year. A high-severity vulnerability generally affects all three factors of information security: confidentiality, integrity, and availability. In 2018, 58 percent of vulnerabilities had this kind of three-part impact. And in only 4 percent of cases was the difficulty of exploiting them assessed as high. In other words, attackers do not usually require any special conditions to disrupt the security of ICS elements.

Figure 6. Severity of vulnerabilities
Figure 6. Severity of vulnerabilities

Summary of vulnerabilities in ICS components detected by Positive Technologies

In 2018 and early 2019, information about 54 vulnerabilities found by our experts was published. The vulnerabilities were detected in ICS components made by ABB, B&R Аutomation, Hirschmann, Moxa, Phoenix Contact, Schneider Electric, and Siemens. 14 of them were critical; 11 were of high risk.

For example, a vulnerability allowing to bruteforce credentials using the proprietary protocol on TCP port 4000 was detected in Moxa switches. The vulnerability allows obtaining control of the switch and, potentially, the entire industrial network. To obtain a patched version of the relevant firmware, end users must specially request it from the vendor.

For more vulnerabilities found by our experts, see the Positive Technologies website: https://www.ptsecurity.com/ww-en/analytics/ threatscape/.

Availability of ICS components on the Internet

Materials and methods

The researchers scanned Internet-accessible ports using publicly available search engines such as Shodan (shodan.io), Google, and Censys (censys.io). Shodan scans a certain number of ports from specified IP addresses, which have been blacklisted by some administrators and firewall manufacturers. Therefore, to extend the scope of analysis, we added data obtained using Google and Censys.

Figure 7. Number of Internet-accessible ICS components (top 10 protocols)
Figure 7. Number of Internet-accessible ICS components (top 10 protocols)

Prevalence

The research revealed 224,017 ICS components available online, which is 27 percent more than in 2017.

HTTP remains the most popular protocol. In 2018, experts detected 10,000 more ICS devices supporting HTTP than in 2017.

The number of devices supporting Ethernet/IP increased by 25 percent compared to 2017, making it the second-most common protocol (after HTTP). The number of devices on the Fox protocol declined by 9 percent.

Figure 8. Number of Internet-accessible ICS components (top 15 countries)
Figure 8. Number of Internet-accessible ICS components (top 15 countries)

Geographic distribution

Compared to 2017, distribution by country remained nearly identical. The U.S. still leads in the number of ICS components accessible online. The country's share grew by a third compared to the previous year, now accounting for 42 percent of the total. Russia rose from 28th place in 2017 to join the top 15 countries in 2018 at 12th place, with 3,993 devices.

Distribution by vendors and products

Distribution by vendors remained practically unchanged compared to 2017. At the time of this research, approximately 30,000 Honeywell devices were accessible. The number is only slightly higher than in 2017 (by around 7%), but the trend remains consistent from year to year. The share of Niagara Framework also slightly increased (by approximately 5%)

Figure 9. Number of Internet-accessible
    ICS components (top 10 vendors)
Figure 9. Number of Internet-accessible ICS components (top 10 vendors)
Figure 10. Number of Internet-accessible
        ICS components (top 10 products)
Figure 10. Number of Internet-accessible ICS components (top 10 products)

Types of ICS components

SCADA/HMI/DCS industrial control systems account for almost a third of Internetaccessible components (27%). The shares of network devices and PLCs increased by 6 percent (from 13% each in 2017)

Figure 11. Number of Internet-accessible ICS components (distribution by type)
Figure 11. Number of Internet-accessible ICS components (distribution by type)

Conclusion

As our findings show, the number of vulnerabilities in the equipment of various manufacturers grows year after year, while the number of Internet-accessible ICS components does not diminish. The number of vulnerabilities in the products of leading manufacturers grew by 30 percent compared to 2017. The share of critical and high-severity vulnerabilities increased by 17 percent.

On average, vendors take a rather long time to fix vulnerabilities (more than six months) Elimination of some vulnerabilities—measured by time from vendor notification to release of a patch—can take more than two years. For end users, such protracted responses increase the risk of exploitation of device vulnerabilities.

More than 220,000 ICS components are available online, which is 27 percent higher than in 2017. Most of them are automation system components. Such systems are mainly located in the U.S., Germany, China, France, Italy, and Canada, even though lawmakers have long been concerned about the security of such devices and systems. For example, the International Organization for Standardization (ISO) has recently published new guidance to reduce the risks of cyberattacks on machinery.

Our research proves yet again that the security of ICS components has room to improve. Without constant attention and adequate protection, such components are at risk of being disrupted or disabled.

  1. Part of ABB, a leading world manufacturer of industrial equipment, since July 2017
Download PDF
Related articles
  • May 15, 2017 ICS Security: 2016 year in review
  • May 3, 2018 Industrial companies: attack vectors
  • September 1, 2021 Information security risks at industrial companies
Share:
Link copied
Related articles
May 3, 2018

Industrial companies: attack vectors

February 1, 2018

ICS Security: 2017 in review

September 1, 2021

Information security risks at industrial companies

All articles
Solutions
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Protection from targeted attacks (anti-apt)
  • PT Industrial Cybersecurity Suite
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol 8
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Network Attack Discovery
  • PT Sandbox
  • XSpider
  • MaxPatrol VM
  • MaxPatrol SIEM All-in-One
  • PT MultiScanner
  • PT BlackBox
Services
  • ICS/SCADA Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • PT ESC Threat Intelligence
  • Cybersecurity glossary
  • Knowledge base
Partners
  • Authorized Partners
  • Distributors
  • Technology Partners
About
  • Clients
  • Press
  • News
  • Events
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
Find us:
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap