The State of SCADA Security

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are critical as they are used to monitor and control the delivery of essential services such as electricity, natural gas, water, waste treatment and transportation. But when it comes to securing ICS/SCADA systems, we have some significant challenges to overcome.

This week I’ll be discussing SCADA vulnerability trends at Infosec World 2015, where I will present data collected by the Qualys Security Labs on ICS/SCADA. All data presented here is based on our analysis of the ICS/SCADA vulnerabilities published last year. These trends are key indicators that support the challenges with securing ICS/SCADA systems today.

The first trend that we notice is that the number of vulnerabilities decreased by about 14% as compared to prior year. In fact this trend has been there since 2013. Now there is a possibility that vulnerabilities are being kept secret but that is always the case with any type of vulnerability and we can analyze only based on the data that was reported.

Not all SCADA systems are the same; in fact most systems are different. But studying them from a security point of view, they can be broken down into the following components that are present in every system in some form:

• Acquisition: Data acquisition includes sensors, meters and field devices, such as photo sensors, pressure sensors, temperature sensors and flow sensors. In 2014, only about 1% of the total ICS/SCADA vulnerabilities were present in data acquisition. For example, in CVE-2014-2378 the road traffic sensor accepted modifications without sufficient checks which may cause the traffic system to default to a failsafe condition, prompting traffic lights of an intersection to operate on predetermined timed intervals.
• Conversion: Remote terminal unit (RTU), intelligent electronic devices (IEDs) and programmable logic controllers (PLC) are example devices that fall under this category. In 2014 about 14% of vulnerabilities were present in the conversation component. For example, the PLC in CVE-2014-0769 is used for automated assembly and manufacturing in solar cell manufacturing, automobile assembly, parts control, and airframe manufacturing where tolerances are particularly critical to end product operations. Two unauthenticated ports (Port 4000/TCP debug service and Port 4001/TCP log service) could allow modification of memory and logging. This can allow attackers to change system configuration and furthermore remove log records that indicate system change to hide malicious activity.
• Communication: Data communication consists of communication medium and uses various communication protocols like ModBus, DNP3, ControlNet, ProfiBus, ICCP, OCP and others. We were expecting a majority of all ICS/SCADA vulnerabilities to fall in this category. But to our surprise only 21% of vulnerabilities were present in communication. CVE-2014-5410, CVE-2014-0761, CVE-2014-2342, CVE-2013-6143 are some of the example that affected DNP3 components and DNP3 components contributed to about quarter of all the communication vulnerabilities.

• Presentation and Control (HMI): This consists of devices used to monitor and control data received from various communication channels. It includes Human Machine Interface (HMI), which the operator uses to monitor and react to alerts and alarms. In 2014, the lion’s share of vulnerabilities – about 63% were found in this component. Most ics/scada vendors have shifted or are shifting to web based HMIs. As a result a lot of directory traversal attacks, buffer overflows, XSS, SQL Injection, CSRF and other web related vulnerabilities affected this component. Some examples are CVE-2014-5436, CVE-2014-5417, CVE-2014-2358, CVE-2014-2376, CVE-2014-2353 and CVE-2014-0751.

Over the years vulnerabilities in ICS/SCADA have moved away from acquisition to the presentation layer. And in the last two year this trend has been dramatic. As vendors migrate HMI to web based systems, more vulnerabilities have now appear in web HMI components. Data communication and conversion are still affected with vulnerabilities but attackers tend to gravitate towards the easiest path to exploitation and web based HMI is an easy target.

Securing ICS/SCADA systems is complex. But some basic security practices like access control and access roles, patching, removing debug services or even checking if your system is inadvertently exposed to the Internet can help. Couple that with auditing and vulnerability assessment and you are on your way to a much better (and more secure) ICS/SCADA infrastructure.