Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
SCADA/ICS security is in worse shape than I thought. Much worse shape.
That was the realization I came to after attending Digital Bond’s S4 SCADA Security Symposium. While all the “Firesheep/Project Basecamp” ICS/SCADA disclosures were interesting, and already reported on, I will not repeat that information. Instead, I want to discuss another talk that didn’t grab big headlines, but it really shocked me.
It is Sean McBride’s talk entitled “The ‘Lost’ Decade: An Empirical Analysis of ICS-Specific Vulnerabilities since 2001.” He presented an analysis of the publicly disclosed ICS vulnerabilities since 2001 – an avalanche of revealing statistics on how ICS vendors are dealing with security problems.
It is no secret 2011 was a bad year for publicly disclosed vulnerabilities, but Sean made the pain clear: There were 215 ICS vulnerabilities in the last 12 months. That is more vulnerabilities than the previous decade.
As Sean said, “The public disclosures barely scratch the surface of the vulnerabilities that actually exist.”
Now maybe the news wouldn’t be so bad if the ICS vendors were like IT vendors and fixed these bugs, but it appears that many are not. Less than half of the 364 public vulnerabilities have patches available. Some ICS companies simply don’t appear to care.
Advantech has 12 public vulnerabilities (half with exploits), and only one patch available. If I was an Advantech customer I would be screaming at them, while installing firewalls and IDS (Intrusion Detection System) equipment as fast as I could.
Even when there are patches, many are useless. Sean quoted an ICS-CERT presentation from FIRST 2011: “ICS-CERT has seen a 60% failure [rate] in patches fixing the reported vulnerability.”
It is not all bleak, as a few companies bucked the trend and responded to vulnerabilities:
• Honeywell — for informing its customers about the vulnerabilities in the bundled Rockwell EDS Hardware Installation Tool shipped with every Experion system.
• 7-Technologies — (a division of Schneider) for patching 16 out of 17 vulnerabilities.
But for the most part, vendors performed poorly when it came to addressing vulnerabilities, even when their products have public exploits.
Sean’s analysis is concerning, and not just for the obvious fact we have a lot of insecure ICS/SCADA product in the field. It appears vendors are either not taking this seriously or don’t know how to.
Dale Peterson’s (Founder and Chief Executive of Digital Bond and the S4 Conference) reason for disclosing the flood of ICS vulnerabilities at S4 (via the “Project Basecamp: Hacking and Exploiting PLCs” talk) was to scare the vendors into moving on security. But looking at the statistics, I am not sure the tactic will work.
In 2011 too many vendors learned of vulnerabilities in public and didn’t hear their customers yelling, so they went back to sleep. The result? The security community knows there is a problem, and the bad guys know there is an opportunity, but end users remain in the dark.
Now if you are reading this blog, you care about security and you want to do something about it. Unfortunately, either there aren’t enough of you, or you’re not telling the vendors that security matters via your request for proposals.
The word has to go out: Spread the message to fellow end users and control engineers that ICS security is vital. Tell your vendors you expect secure products. Tell your purchasing departments to make good security practices a condition of sale. It doesn’t matter if you tweet, blog, write a memo or talk over a coffee. Just get the message out. Start the revolution.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.