A new report that attempts to quantify the risks to Industrial Control Systems (ICS) contends that more software flaws are being detected in the sensitive systems since the 2010 discovery of Stuxnet, but the report may be based on some faulty assumptions, according to one ICS expert.
any mention of vulnerability in a component should be evaluated against the system in which it resides and blended with a basic risk analysis matrix in order to properly prioritize the actual risk.
Joel Langill, ICS security expert
The report, SCADA Safety In Numbers, (.pdf) was produced by Russian vulnerability management vendor Positive Technologies Security. The analysis is based on data collected from an array of vulnerability databases and exploit packs. It found that more than 40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cybercriminals.
The study also found that 64 vulnerabilities were discovered and reported in industrial-control system products by the end of 2011. And nearly 100 coding errors were reported already this year. The authors contend that for each of the bugs disclosed over the last two years, they “searched for generally available methods of exploiting the [vulnerabilities] and provided an expert evaluation of the related risks.”
Joel Langill, a recognized expert on ICS security issues, said the methods the authors used to assess risk levels in industrial environments resulted in conclusions that are misleading. Some of the conclusions on overall risk outlined in the report are not as widely applicable as the study’s authors are seeking to portray them as being, Langill said, adding that it could be characterized as unnecessarily alarmist in nature.
“The fact that this paper attempts to identify and classify vulnerabilities based on risk level is inappropriate,” said Langill, who is also known throughout the industry by his handle SCADAhacker.
Just because a device in an ICS system is potentially vulnerable and accessible via the Internet does not necessarily mean it poses any risk to the end-user, Langill said. An end-user may have followed recommended practices and placed a device in special “zones” that offer “hidden” security controls to protect against compromise, he said.
A claim in the report that 39% of the ICS systems in North America are vulnerable to compromise is suspect and based on faulty analysis, Langill said. In order for an attacker to capitalize on a specific vulnerability, they would also have to be able to overcome all of the existing layers of security that are in place, Langill said, turning a seemingly simple exploit of a vulnerability with a high CVSS score into a very sophisticated attack that would be difficult to execute and realistically classified with a very low "effective" CVSS score.
“It is important not to confuse a ‘component’ vulnerability with a ‘system’ vulnerability," Langill said. "It is possible, and not uncommon, for vulnerable components to be installed within an ICS network that is equipped to provide a barrier against various threats. Therefore, the system compensates for these known and unknown vulnerabilities by creating isolation within the ICS architecture."
Langill said many of the vulnerable components listed in the report are from companies that do not represent any significant market share, potentially skewing the results against the actual number of vulnerable systems. He also noted that most ICS architectures contain far more embedded devices than they do Windows-based hosts, yet nearly all disclosed vulnerabilities in the report are designed to specifically target a Windows environment.
One of the reasons that Langill said he works closely with other experts in evaluating the true impact of ICS-related security vulnerabilities is to better understand if many of the published vulnerabilities that the report cites can actually be exploited when implemented in a real-world ICS environment.
“Sure, any one could stick an engineering workstation on a network and download rogue programs or faulty firmware to controllers, but is this representative of a reasonable threat? Of course not,” Langill said. “So any mention of vulnerability in a component should be evaluated against the system in which it resides and blended with a basic risk analysis matrix in order to properly prioritize the actual risk.”
Research still valuable, says expert
Officials at Positive Technologies Security did not return an email request seeking comment. Even in light of the weaknesses identified in the Positive Technologies report, there is still value in the research in regards to drawing more attention to the problem of sensitive ICS systems that are exposed by way of the Internet, said Chris Blask, chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC).
“While Joel is exactly correct as to the consequences of vulnerable devices being harder to define than the act of simply finding vulnerable devices themselves, the research itself does provide value by providing additional evidence for the existence of exposed systems,” Blask said.
Blask points out that the Positive Technologies report was published roughly the same timeframe as the Project Shine (short for Shodan Intelligence Extraction ) work done by Bob Radvanovsky and Jake Brodsky in which roughly half a million ICS devices with Internet connections were enumerated.
“These findings add weight to the supposition that it is diligent at this point to assume that various parties - including those with negative intent - have compiled data sets including large numbers of exposed systems. The likelihood of threat actors using these data sets in combination with either the type of brute-force effort, or with the intelligence Joel indicates, to successfully execute high-impact attacks increases as a function of time,” Blask said.
The Publicly Accessible Control System (PACS) working group established by the ICS-ISAC in association with Energysec and a broad spectrum of private sector organizations is an example of the coordination necessary to address the risks implicit in research such as Project Shine and Positive Technology's paper.
“It is effectively beyond question that a large number of industrial systems are Internet-connected and that many of these bear risks of compromise. All parties involved need to focus on practical reduction of the existing risks that can be implemented within the timeframes available, and on reducing the growth of the overall risk as the connectivity of industrial systems continues to increase,” Blask concluded.
About the author:
Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. You can also find him tweeting about security topics on Twitter @anthonymfreed.