View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 29, 2018updated 30 Aug 2018 9:33am

Bug Hunters Double SCADA Vulnerability Finds

"Plant staff are already overwhelmed with security hygiene tasks for existing assets. There is no bandwidth for coordinating security patches from a multitude of different OEMs"

By CBR Staff Writer

Independent cybersecurity researchers found nearly double the number of vulnerabilities in SCADA systems in the first six months of 2018 as they did in H1 of 2017, according to a new report by Japanese multinational Trend Micro, amid rising concerns about infrastructure security.

The 202 holes spotted in such industrial control systems are not necessarily a bad thing – they are being disclosed because vendors are engaging in bug bounty programmes, which pay out to security researchers who can find flaws in their software or hardware potentially exploitable by a malicious hacker.

The company, which runs the world’s largest bug bounty programme, also noted in its 2018 mid-year security roundup that such vulnerabilities are taking far too long to plug: “The resolution of a discovered SCADA-related vulnerability can take around 150 days on average, according to a study conducted by our researchers.”

(Trend Micro reported yet another SCADA vulnerability disclosure, this one affecting systems from vendor LAquis earlier today, August 29).

SCADA systems are typically used to control industrial processes locally or remotely, as well as for monitoring and processing real-time data. Their security, along with that of  Industrial Control Systems,  is under heightened scrutiny since the NIS Directive – which aims to raise EU network security and resilience – came into force in May.

See also: Critical Infrastructure Security: “The NIS Directive Sucks”

More than half of the 202 SCADA-related vulnerabilities were found in the web-based HMI (human-machine interface) software Advantech WebAccess, described by the Taiwanese vendor as a “100% web-based IIoT platform with open interfaces for developing IoT applications. It also acts as a gateway for collecting data from ground equipment and transferring the data to cloud applications via MQTT publish/subscribe.”

Bug Bounties - The cost of fixing bugs throughout the SDLC

A SCADA HMI is the main digital hub that manages critical infrastructure and
oversees the status of different control systems, which in turn have direct control over plant operations. It typically has limited access to the individual processes, but is able to send production goals or value targets and harvest diagnostic data.

Content from our partners
Harnessing the power of low code and no code development
Signs your accounting software is no longer fit for your growing business
Incumbent banks must transform at speed, or miss the benefits of open banking

(It may be unfair to single out Advantech, whose participation in a respected bug bounty programme paints a picture of a company at least willing to engage with security researchers to improve its products by soliciting attempts to find gaps in its systems; not all do…)

Actors Moving on from “Mere Reconnaissance”

“The Trend Micro Zero Day Initiative (ZDI) published more than 600 advisories in the first six months of 2018. Based on this increase in advisories, the ZDI is able to predict what types of vulnerabilities will likely be used next in real-world attacks,” Trend Micro said in its 2018 Mid-year Security Roundup.

The company added: “Among the advisories this year, the ZDI purchased and disclosed twice as many SCADA vulnerabilities compared to the same time last year. IT security managers running these environments must stay alert to this growing threat, especially as actors begin to perform destructive attacks rather than mere reconnaissance.”

Companies working in critical infrastructure typically engage in sustained “red teaming” as well as bug bounty programmes in a bid to spot weaknesses. Speaking at an event attended by Computer Business Review in London earlier this year, for example, the CISO of Italian utility Enel, Yuri Rassega said his company performed “around 400 deep vulnerability tests on our critical assets every year”.

“A Daunting Challenge” 

The 2018 SANS Industrial IoT Security Survey paints a picture of a challenging security environment for those in the operational technology (OT) sector.

“Lack of control over development processes and complex supply chains aggravates end user concerns. Managing endpoint security updates and patches is another daunting challenge. Plant staffs are already overwhelmed with security hygiene tasks for existing assets. There is no bandwidth for coordinating security patches from a multitude of different OEMs. Likewise, few plants have the kind of secure remote access needed to enable direct management by the OEMs”, said Sid Snitkin, VP, cybersecurity services for the ARC Advisory Group.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU