Wednesday, November 14, 2012

SCADA Safety In Numbers: Report highlighting SCADA insecurities

40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cyber-criminals

A new report that attempts to quantify the risks to Industrial Control Systems (ICS) contends that more software flaws are being detected in the sensitive systems since the 2010 discovery of Stuxnet, but the report may be based on some faulty assumptions, according to one ICS expert.

The report, SCADA Safety In Numbers, (.pdf) was produced by Russian vulnerability management vendor Positive Technologies Security. The analysis is based on data collected from an array of vulnerability databases and exploit packs. It found that more than 40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cyber-criminals.

The study also found that 64 vulnerabilities were discovered and reported in industrial-control system products by the end of 2011. And nearly 100 coding errors were reported already this year. The authors contend that for each of the bugs disclosed over the last two years, they “searched for generally available methods of exploiting the [vulnerabilities] and provided an expert evaluation of the related risks.”

“The fact that this paper attempts to identify and classify vulnerabilities based on risk level is inappropriate,” said Langill, who is also known throughout the industry by his handle SCADAhacker.

Just because a device in an ICS system is potentially vulnerable and accessible via the Internet does not necessarily mean it poses any risk to the end-user, Langill said. An end-user may have followed recommended practices and placed a device in special “zones” that offer “hidden” security controls to protect against compromise, he said.

A claim in the report that 39% of the ICS systems in North America are vulnerable to compromise is suspect and based on faulty analysis, Langill said. In order for an attacker to capitalize on a specific vulnerability, they would also have to be able to overcome all of the existing layers of security that are in place, Langill said, turning a seemingly simple exploit of a vulnerability with a high CVSS score into a very sophisticated attack that would be difficult to execute and realistically classified with a very low "effective" CVSS score.

“It is important not to confuse a ‘component’ vulnerability with a ‘system’ vulnerability," Langill said. "It is possible, and not uncommon, for vulnerable components to be installed within an ICS network that is equipped to provide a barrier against various threats. Therefore, the system compensates for these known and unknown vulnerabilities by creating isolation within the ICS architecture."

Langill said many of the vulnerable components listed in the report are from companies that do not represent any significant market share, potentially skewing the results against the actual number of vulnerable systems. He also noted that most ICS architectures contain far more embedded devices than they do Windows-based hosts, yet nearly all disclosed vulnerabilities in the report are designed to specifically target a Windows environment.

In my humble opinion, despite the weaknesses identified in the Positive Technologies report, there is still value in the research in regards to drawing more attention to the problem of sensitive ICS systems that are exposed by way of the Internet

Pls refer here to download the report.

No comments: