Independent cybersecurity researchers found nearly double the number of vulnerabilities in SCADA systems in the first six months of 2018 as they did in H1 of 2017, according to a new report by Japanese multinational Trend Micro, amid rising concerns about infrastructure security.
The 202 holes spotted in such industrial control systems are not necessarily a bad thing – they are being disclosed because vendors are engaging in bug bounty programmes, which pay out to security researchers who can find flaws in their software or hardware potentially exploitable by a malicious hacker.
The company, which runs the world’s largest bug bounty programme, also noted in its 2018 mid-year security roundup that such vulnerabilities are taking far too long to plug: “The resolution of a discovered SCADA-related vulnerability can take around 150 days on average, according to a study conducted by our researchers.”
(Trend Micro reported yet another SCADA vulnerability disclosure, this one affecting systems from vendor LAquis earlier today, August 29).
SCADA systems are typically used to control industrial processes locally or remotely, as well as for monitoring and processing real-time data. Their security, along with that of Industrial Control Systems, is under heightened scrutiny since the NIS Directive – which aims to raise EU network security and resilience – came into force in May.
See also: Critical Infrastructure Security: “The NIS Directive Sucks”
More than half of the 202 SCADA-related vulnerabilities were found in the web-based HMI (human-machine interface) software Advantech WebAccess, described by the Taiwanese vendor as a “100% web-based IIoT platform with open interfaces for developing IoT applications. It also acts as a gateway for collecting data from ground equipment and transferring the data to cloud applications via MQTT publish/subscribe.”
A SCADA HMI is the main digital hub that manages critical infrastructure and
oversees the status of different control systems, which in turn have direct control over plant operations. It typically has limited access to the individual processes, but is able to send production goals or value targets and harvest diagnostic data.
(It may be unfair to single out Advantech, whose participation in a respected bug bounty programme paints a picture of a company at least willing to engage with security researchers to improve its products by soliciting attempts to find gaps in its systems; not all do…)
Actors Moving on from “Mere Reconnaissance”
“The Trend Micro Zero Day Initiative (ZDI) published more than 600 advisories in the first six months of 2018. Based on this increase in advisories, the ZDI is able to predict what types of vulnerabilities will likely be used next in real-world attacks,” Trend Micro said in its 2018 Mid-year Security Roundup.
The company added: “Among the advisories this year, the ZDI purchased and disclosed twice as many SCADA vulnerabilities compared to the same time last year. IT security managers running these environments must stay alert to this growing threat, especially as actors begin to perform destructive attacks rather than mere reconnaissance.”
Companies working in critical infrastructure typically engage in sustained “red teaming” as well as bug bounty programmes in a bid to spot weaknesses. Speaking at an event attended by Computer Business Review in London earlier this year, for example, the CISO of Italian utility Enel, Yuri Rassega said his company performed “around 400 deep vulnerability tests on our critical assets every year”.
“A Daunting Challenge”
The 2018 SANS Industrial IoT Security Survey paints a picture of a challenging security environment for those in the operational technology (OT) sector.
“Lack of control over development processes and complex supply chains aggravates end user concerns. Managing endpoint security updates and patches is another daunting challenge. Plant staffs are already overwhelmed with security hygiene tasks for existing assets. There is no bandwidth for coordinating security patches from a multitude of different OEMs. Likewise, few plants have the kind of secure remote access needed to enable direct management by the OEMs”, said Sid Snitkin, VP, cybersecurity services for the ARC Advisory Group.