Over the course of 2015, greater visibility was given to industrial control system security through the early advisory services that are published to provide readers with the latest developments on cybersecurity vulnerabilities and advisories.
The aim of this new service specific to the industrial control systems environment is to continue raising awareness in the individuals who play a role in improving the features of industrial control system security. The new service also aims to make vulnerabilities known so that customers can be prepared when it comes time to updating and implementing security measures on their systems.
With this in mind, INCIBE, through INCIBE-CERT, put a special emphasis on industrial security in 2015 by publishing, along with other articles, contents specifically related to industrial security on their blog. They also drew special attention to this topic on a day-to-day basis with the early advisory system and the security advisories for industrial control systems.
In 2015, the alert service continued to reflect the main vulnerabilities that affect the industrial sector. Taking a look at the work carried out in 2015 reveals the following results:
134 vulnerability advisories were issued with regard to the industrial sector, including alerts for devices, applications and communication elements used in this sector.
-Number of advisories issued each month-
Security alerts were posted throughout the year, albeit with fluctuations in the number of publications each month. These variations showed a lower number of vulnerabilities during the summer months followed by a rise again in advisories during the final months of the year.
With regard to the sectors concerned, we can observe that the security advisories that were issued affected almost all of the sectors defined by Law 8/2011, such as the strategic sectors shown in the following graph
-Evolution of advisories by sector. Energy sector was most severely affected (in percentages)-
We must keep in mind that some of the advisories that were issued affect multi-purpose devices that may be used by a number of sectors, thus meaning that one alert has the ability to simultaneously affect several sectors. Hence, the products (devices and applications) concerned with energy sector were those that were most severely affected by the alerts nearly every month.
Does this mean that the level of security in energy sector is lower? No - it is simply due to the fact that the area of energy is the most comprehensive sector, entailing many different processes and millions of operational devices. Additionally, this is the sector which receives the greatest attention in terms of security improvements which involve several security analyses conducted on devices. These analyses lead to the discovery of new vulnerabilities and their subsequent advisories.
Types of advisories
Each advisory may be associated with more than one type of vulnerability that affects one device or family of devices. The following image illustrates the breakdown of alerts according to their nature and shows that the advisories for stored and processed information insecurity stand out above the rest. These information insecurity advisories involve alerts related to an absence of encryptions, credentials embedded in devices, a lack of authentication, etc.
-Types of vulnerabilities. Bear in mind that one alert may correspond to a number of vulnerabilities-
The most frequently discovered vulnerabilities after issues concerning insecurity in information processing are code execution and denial of service.
Although not one of the top three types of vulnerabilities, denial of service alerts represent one out of every five advisories. This type of alert is especially important since a denial of service in industrial control systems can prove fatal in certain processes, just as the execution of arbitrary code is equally critical given its potential to modify both device programming as well as device behaviour and operations.
It is also important to note that many of the advisories that were issued in 2015 corresponded to vulnerabilities that can be remotely exploited. This feature makes it necessary to raise awareness in all companies about protecting their network perimeter by means of controlling the services that they disclose on the Internet, thus preventing these services from being exploited by potential attackers.
Following the general trend, large companies concerned with control systems were those that were most severely affected by the issued alerts. This tendency does not mean that these companies are less secure, nor that they do not pay attention to device/application security protection. Rather, this trend is the result of a large number of different systems and deployed units that, given their level of exposure, show an increased probability of presenting product vulnerabilities. Likewise, the disclosure of vulnerabilities and the development of the corresponding patches also demonstrate these companies’ level of commitment to the security of their products.
-Number of advisories posted by each manufacturer-
The above image shows that Siemens, Schneider Electric, Rockwell Automation y Moxa are the manufacturers affected by the majority of the alerts, so much so that the sum of the alerts from the rest of the manufacturers only slightly exceeds that of these top four.
The degree of criticality is determined according to a number of parameters such as impact, likelihood/ease of exploitation, etc. Over the course of 2015, two thirds of the advisories issued represented either "critical" or "high" severity levels, meaning that they had a high impact on industrial control systems. The following pie chart illustrates the percentage of advisories according to their level of criticality.
These alert ranking percentages reveal that many of the vulnerabilities that were posted are easily exploitable, enable the disclosure of system information and, finally, make it possible to lead systems to a state that may pose a risk to either the system itself, to employees or to human lives in general.
Evolution in 2016
On account of a heightened awareness in those researchers and manufacturers concerned with industrial control systems as well as the maturity and evolution of these systems, the year 2016 will keep up with the pace set in 2015 and will maintain the number of registered alerts.
Likewise, the results of the evaluation of the different sectors should gradually be more similar as they continue to mature and develop. However, we must continue to bear in mind that not all sectors are equally extensive, meaning that the largest sectors will continue to be most greatly exposed.
With regard to manufacturers and their alerts, the large industrial control system manufacturers will continue to lead the way with the highest number of registered alerts owing to their ample product catalogues, while the smaller manufacturers will remain less exposed.