SlideShare a Scribd company logo

ics-vulnerability-trend-report-final

N
Nick Rossmann
1 of 12
Download to read offline
FIREEYE iSIGHT INTELLIGENCE CRITICAL LESSONS FROM 15 YEARS OF ICS VULNERABILITIES 2016 Industrial Control Systems (ICS) Vulnerability Trend Report OVERLOAD SPECIAL REPORT / AUGUST 2016
CONTENTS Introduction 3 Key Judgments 4 Methodology 5 By the Numbers 5 ICS-Specific Vulnerability Disclosures Over Time 6 Stuxnet Drove Interest in ICS-Specific Vulnerabilities 6 Average Yearly Disclosures Likely to Increase, but Not 2015 Rate 6 Vulnerabilities by ICS Level 7 Most Disclosures Affect Level 2 Probably Due to Researcher Familiarity and Product Availability 8 Access to Level 2 Allows for a Threat Actor to Manipulate Processes 8 Patch Availability 9 More Than One-Third of ICS Vulnerabilities are Unpatched at the Time of Disclosure, a Trend Likely to Persist 9 ICS Vulnerabilities Exploited in The Wild 10 Exploitation of ICS-Specific Vulnerabilities to Accrue at Slow Rate 10 Sandworm Team Undermines Three Ukranian Electricity Distributors 10 Outlook 11 Recommendations 11
In the past several years, a flood of vulnerabilities has hit industrial control systems (ICS) — the technological backbone of electric grids, water supplies and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking equipment used to automate and monitor the physical processes that keep our modern world running. INTRODUCTION Since 2000, FireEye iSIGHT Intelligence has identified nearly 1,600 publicly disclosed ICS vulnerabilities. Many of these are unpatched — and some are simply unpatchable due to outdated technology —providing open paths for adversarial exploitation. Nation-state cyber threat actors have exploited five of these vulnerabilities in attacks since 2009. Unfortunately, security personnel from manufacturing, energy, water and other industries are frequently unaware of their own control system assets, let alone the vulnerabilities that affect them. Organizations operating these systems are missing the warnings and leaving their industrial environments exposed. This report highlights trends in total ICS vulnerability disclosures, patch availability, vulnerable device type and vulnerabilities exploited in the wild. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 3
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 4 The discovery of Stuxnet in 2010 drove interest in industrial control systems (ICS) vulnerability research. FireEye iSIGHT Intelligence counted just 149 ICS vulnerability disclosures that were made between January 2000 and December 2010. Through April 2016, we have counted 1,552. We anticipate this upward trend will continue. 58% Most (58%) of the 801 ICS-specific vulnerability disclosures since February 2013 dealt with Level 2 (L2) in the simplified Purdue ICS architecture model, which describes how manufacturing devices interface with computers. We surmise that this is because L2 software is easier to obtain than L1 devices and is more familiar to a greater number of vulnerability researchers. However, adversary access to L2 alone is generally sufficient for at-will interaction with the controlled process. Vulnerability patching presents a significant challenge. Of the 1,552 total vulnerability disclosures we examined, 516 (33%) had no vendor fixes. The lack of vendor fixes and slow patch times for most industrial environments presents a significant opportunity for potential adversaries. Through April 2016, at least five ICS-specific vulnerabilities have been exploited in the wild, a rate we anticipate will increase in the future. In light of these observations and trends, we recommend that ICS asset owners: • Prepare their security teams with an accurate understanding of control system assets, their locations, and functions. • Obtain structured vulnerability and patch feeds that cover a wide variety of sources. • Match the vulnerability disclosures and patch announcements against their asset inventory. • Track vulnerable and unpatched products currently used in their industrial environments. • Prioritize vulnerability remediation efforts by considering ICS architecture location, simplicity of exploitation and possible impact on the controlled industrial process. KEY JUDGMENTS
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 5 For the purpose of this report, ICS-specific vulnerability disclosures consist of a vulnerability announcement where 1) a disclosing party specifically examined products intended to aid in the operation of an industrial process, and 2) exploitation of the vulnerability has a distinct impact on the controlled industrial process. • We do not count a disclosure unless it names a specific product. • We exclude general purpose operating systems, such as Microsoft Windows, even though human machine interfaces (HMIs), engineering laptops and supervisory control and data acquisition (SCADA) servers commonly use them. We also exclude database applications, such as Oracle and SQL Server, even though control system applications and historians commonly incorporate them. Parties disclosing vulnerabilities in these products have not generally done so with ICS in mind. • By the same reasoning, we excluded major third-party software vulnerabilities/attacks, including POODLE, Heartbleed, and Shellshock, though a variety of ICS-specific software exhibits these issues. • Further, if a researcher discloses a vulnerability that affects multiple products that have different uses in an industrial environment, and those uses lead to differing impacts on the controlled process, we count them separately. For example, if a researcher discloses a vulnerability in an OPC server (a type of process controller) library the vendor bundles into both a historian and an engineering workstation, we count this as two disclosures because successful exploitation can lead to distinct process impacts. • Additionally, we have not independently confirmed the accuracy of the disclosures or the efficacy of associated patches. METHODOLOGY 1,552 15 465 90 33 123 BY THE NUMBERS Number of ICS SPECIFIC VULNERABILITIES we analyzed YEARS OF DISCLOSURES in our research NUMBER OF DISCLOSURES impacting Level 2 of the simplified Purdue model, which typically includes SCADA systems PERCENTAGE OF VULNERABILITIES in our data set disclosed after Stuxnet emerged in media reports in mid-2010 PERCENTAGE OF VULNERABILITIES without a patch at time of disclosure TOTAL NUMBER OF VENDORS affected by vulnerability disclosures
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 6 STUXNET DROVE INTEREST IN ICS-SPECIFIC VULNERABILITIES An examination of 1,490 ICS-specific vulnerability disclosures between 2000 and 2015 (see Figure 1) shows a sharp increase in 2011. We believe the media attention garnered by Stuxnet is the principal driver of the increase: • Stuxnetwas the first publicly recognized attack to exploit vulnerabilities in ICS products.1 Media coverage began in mid-2010 and continued for the next 18 months. • There was a general slow upward trend prior to 2010, which itself saw just 55 ICS vulnerability disclosures. • 2011 included 219 ICS vulnerability disclosures, representing a 300% growth from 2010. • Most (90%) of the vulnerabilities came after 2010, though that accounts for only one-third of the timeline. • While the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which coordinates vulnerability disclosures between researchers and vendors, formally launched in November 2009, may have had some effect on disclosure rates, we consider that effect secondary because CERT/CC effectively coordinated ICS- specific vulnerability disclosures before that date. ICS-SPECIFIC VULNERABILITY DISCLOSURES OVER TIME TWO -YEAR ROLLING AVER AGE AVERAGE YEARLY DISCLOSURES LIKELY TO INCREASE, BUT NOT AT 2015 RATE We identify another sharp increase from 2014 to 2015— when disclosures rose from 249 to 371, or by 49%. Prior to this (from 2011 to 2014), disclosures rose an average of just 4.7% annually. We anticipate that the average number of ICS-specific vulnerability disclosures will increase during the next several years at about the rate it did from 2011 to 2014 (5%) rather than the rate in 2015 (49%). We surmise that the 2015 increase represents an anomalous spike rather than a new threshold because 92 of the vulnerabilities were caused by two large groups of disclosures that vendors released at a single time: 56 from OSIsoft and 36 from Yokogawa.2,3 • The size of these vendor releases are anomalous in the data set. The next largest group of disclosures by a vendor was 12 in 2014. • Releasing a set of vulnerabilities — versus one-by-one as they are likely discovered — indicates that the vendor may be choosing to address them all at once rather than serially. Vendors may believe that a group and disclose approach enhances marketing of new releases, but we have yet to determine whether this approach is a trend. • We suggest the Yokogawa vulnerabilities may have been discovered simultaneously because they dealt with similar buffer overflows, but affected multiple products. 1 Keizer, Greg. “Is Stuxnet the ‘best’ malware ever?” Infoworld. 16 September 2010. http://www.infoworld.com/article/2626009/malware/is-stuxnet-the--best--malware-ever-.html 2 OSISoft. OSIsoft Releases Multiple Security Updates for the PI System. 11 August 2015. https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00289. 3 Yokogawa. Yokogawa Security Advisory Report. 10 September 2015. http://web-material3.yokogawa.com/YSAR-15-0003E.pdf 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 400 350 300 250 200 150 100 50 0 FIGURE 1: ICS -SPECIFIC VULNERABILIT Y DISCLOSURES BY YEAR
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 7 FireEye iSIGHT Intelligence classifies ICS vulnerabilities by their location on a simplified Purdue ICS architectural model.4 The model (as shown in Figure 2) identifies six levels based on the device’s functions and location on the network. We classify industrial networking equipment (normally hardened to withstand harsh temperatures, vibration and dust) in another category. VULNERABILITIES BY ICS LEVEL SENSORS & ACTUATORS Actuators Sensors PLC & RTU PLC RTU DMZ App Server Historian Networking Devices Networking Devices Inter/Intranet Printer Workstation CORPORATE Senses process characteristics, such as temperature, pressure, and level; opens and closes valves; and turns pumps and motors on or off Uses sensor readings to send appropriate commands to actuators and motors SCADA Historian Other Engineering Workstation HMI Allows a human operator to supervise and control the physical process Makes data and applications from the control network available to users outside of the control network Meets general computing needs, including email, databases, and word processing Applications intended to provide remote ICS functionality relying on the public internet, such as mobile device apps Zone 0Zone 1 Zone 2 Zone 3Zone 4 FIGURE 2: SIMPLIFIED PURDUE MODEL OF AN INDUSTRIAL CONTROL SYSTEM 4 The Simplified Purdue model refers to a framework developed by researchers to describe the interconnectivity of computers to manufacturing systems.
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 8 MOST DISCLOSURES AFFECT LEVEL 2 PROBABLY BECAUSE OF RESEARCHER’S FAMILIARITY WITH THE SYSTEMS AND THE PRODUCT’S AVAILABILITY About half (465 of the 801 vulnerability disclosures from February 2013 to April 2016) affect products at ICS architecture Level 2 (as shown in Figure 3). We believe Level 2 has received the most attention because: • Equipment in this level frequently relies on operating systems, databases, and other information technologies already familiar to vulnerability researchers; and • Technologies used at this level can be easily and inexpensively obtained by vulnerability researchers, such as limited-time, full-featured demonstration versions. FIGURE 3: ICS -SPECIFIC VULNERABILIT Y DISCLOSURES AFFECTING EACH LEVEL FROM FEBRUARY 2013 TO APRIL 2016 (VULNERABILITIES MAY AFFECT MORE THAN ONE ZONE) 500 400 300 200 100 0 ACCESS TO LEVEL 2 ALLOWS A THREAT ACTOR TO MANIPULATE PROCESSES Once an attacker has unrestricted access to Level 2, further exploits and vulnerabilities become less important because: • Devices that directly control the processes, such as HMI and engineering workstations, reside here. Like having a master key, controlling one of those devices gives attackers control of any connected processes. For example, as seen in the attacks on the Ukrainian power companies in December 2014, once attackers have access to the HMI, they can open and close switches and actuators at will without exploiting additional vulnerabilities. • Using unauthenticated protocols allows any computer connected to these networks to interact with the controlled process. For instance, the use of Modbus/TCP allows any device on the network to alter a set point within the process logic executed by the controller. Zone 0 Zone 1 Zone 2 Zone 3 Zone 4 Zone 5 Networking Devices
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 9 PATCH AVAILABILITY MORE THAN ONE-THIRD OF ICS VULNERABILITIES ARE UNPATCHED AT THE TIME OF DISCLOSURE, A TREND THAT WILL LIKELY PERSIST Of the 1,552 total vulnerabilities we examined, 516 did not have a fix available at the time of public disclosure (as shown in Figure 4). This means that 33% were zero- day vulnerabilities. While early indications for 2016 appear to depart from this number, we doubt this percentage will change significantly in the near future. Figure 4 shows ICS-specific vulnerabilities between January 2010 and April 2016 with a fix available at the time of release and illustrates that the portion of disclosures without a fix has remained fairly constant after 2010. We think several factors may be contributing to the lack of patches: • Researchers did not disclose the vulnerability to the vendor prior to releasing information about it publicly • Vendors did not respond to researcher in a timely way, prompting the researcher to disclose • Vulnerabilities could not be (easily) fixed • Vendors consider vulnerable device end-of-life FIGURE 4: ICS -SPECIFIC VULNERABILITIES SINCE 2010 SHOWING FIX AVAIL ABILIT Y AT TIME 2010 2011 2012 2013 2014 2015 2016 400 350 300 250 200 150 100 50 0 FIXED UNFIXED 1/3OF ICS VULNERABILITIES ARE ZERO DAYS, A TREND LIKELY TO PERSIST
SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 10 5 Symanec. “W32.Stuxnet Dossier.” February 2011. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. P. 50. 6 Symanec. “W32.Stuxnet Dossier.” February 2011. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. P. 26. 7 General Electric. “GE Intelligent Platforms Product Security Advisory.” 28 October 2014. https://ge-ip.force.com/communities/servlet/fileField?retURL=%2Fcommunities%- 2Fapex%2FKnowledgeDetail%3Fid%3DkA21A000000LW4dSAG%26lang%3Den_US%26Type%3DArticle__kav&entityId=ka21A000000PTSeQAO&field=File_1__Body__s. 8 U.S. Department of Homeland Security. ICS-CERT. “Alert (ICS-Alert-14-281-01E).” 10 December 2014. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B. 9 U.S. Department of Homeland Security. ICS-CERT. “Advisory (ICSA-16-152-01).” 31 May 2016. https://ics-cert.us-cert.gov/advisories/ICSA-16-152-01. 10 U.S. Department of Homeland Security.” “IR-ALERT-H-16-043-01AP CYBER-ATTACK AGAINST UKRAINIAN CRITICAL INFRASTRUCTURE.” 7 March 2016. http://www.eenews. net/assets/2016/07/19/document_ew_02.pdf. 11 U.S. Department of Homeland Security. “Advisory (ICSA-16-138-01).” 17 May 2016. https://ics-cert.us-cert.gov/advisories/ICSA-16-138-01. ICS VULNERABILITIES EXPLOITED IN THE WILD EXPLOITATION OF ICS-SPECIFIC VULNERABILITIES TO ACCRUE AT SLOW RATE We note that all five instances in which ICS-specific vulnerabilities were exploited can be reasonably tied to nation-state actors. Four of the five — Stuxnet and the attacks in Ukraine — can be tied to direct geopolitical objectives. The success of these incidents in compromising key systems to achieve a political objective or demonstrating an adversary’s capabilities makes us expect that nation-state adversaries will increasingly exploit ICS-specific vulnerabilities. SANDWORM TEAM UNDERMINES THREE UKRAINIAN ELECTRICITY DISTRIBUTORS IN LATE 2015 On Dec. 23, 2015, three Ukrainian electricity distributors found themselves at ground zero for ICS security. A cyber threat group — that we strongly believe is the suspected Russia-based Sandworm Team — had invaded systems and triggered power outages across three regions in western Ukraine. The attackers systemically shut down the flow of electricity by manipulating distribution system dispatcher HMIs — the applications that grid operators use to control the flow of power to homes and businesses. After shutting down the power, attackers exploited two previously unknown vulnerabilities in control systems networking gear to inhibit the utilities’ ability to restore power and maintain control of the grid. While ICS vulnerability disclosures were influenced by Stuxnet, we have not observed a corresponding increase in ICS vulnerability exploitation. We are aware of five ICS-specific vulnerabilities exploited in the wild (as shown in Figure 5). In addition, given the growth in researcher interest, we surmise that many other ICS-specific vulnerabilities have been exploited in the past, but have not been made public. VULNERABILITY TITLE ATTACK KNOWN VICTIMS EXPLOITED VULNERABILITY DISCLOSED PATCH RELEASED Siemens Simatic S7 DLL loading mechanism vulnerability5 Stuxnet NEDA Industrial Group, Natanz, Iran July 2009 June 2010 September 2011 Siemens WinCC insecure SQL Server authentication6 Stuxnet NEDA Industrial Group, Natanz, Iran July 2009 June 2010 July 2012 GE Cimplicity Path Traversal7,8 Attributed to the Sandworm Team Various January 2012 June 2012 December 2013 Moxa UC-7408-LX Plus unauthenticated firmware9,10 Attributed to the Sandworm Team Kyivo-blenergo Energy Distribution Facility, Ukraine December 2015 May 2016 Product Discontinued IRZ RUH2 3G unauthenticated firmware11 Attributed to the Sandworm Team Prykarpattya-oblenergo Energy Distirbution Facility, Ukraine December 2015 May 2016 N/A FIGURE 5: FIVE ICS VULNERABILITIES EXPLOITED IN THE WILD
OUTLOOK In summary, our research supports the following expectations: • ICS vulnerability disclosures will continue to rise during the coming years at an average close to 5%, with occasional spikes or drops. • Media coverage of significant events in ICS security, either attacks or research, will likely continue to fuel the vulnerability disclosure rate. • The majority of disclosures will consist of vulnerabilities affecting Level 2 of the simplified Purdue model. • While ICS-specific vulnerabilities may not be required to access, manipulate or impact industrial processes, reports of ICS-specific vulnerabilities exploited in the wild will slowly accrue. The flood of vulnerabilities is likely to overwhelm ICS asset owners as they struggle to keep up with vulnerability notifications, assess associated risk, and implement mitigation. To ensure effectiveness and efficiency in dealing with ICS vulnerabilities, FireEye recommends that ICS asset owners: • Prepare their security teams with an accurate understanding of control system assets, their locations, and functions. • Obtain structured vulnerability and patch feeds that cover a wide variety of sources. • Match the vulnerability disclosures and patch announcements against their asset inventory. • Track vulnerable and unpatched products currently used in their industrial environments. • Prioritize vulnerability remediation efforts by considering ICS architecture location, simplicity of exploitation, and possible impact on the controlled industrial process. RECOMMENDATIONS SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 11
FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 / 877.FIREEYE (347.3393) / info@FireEye.com www.FireEye.com To download this or other FireEye iSight Intelligence reports, visit: www.fireeye.com/reports.html © 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

Recommended

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 ReportRonen Mendezitsky
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondBlack Duck by Synopsys
 

Recommended

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 ReportRonen Mendezitsky
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondBlack Duck by Synopsys
 
INTSUM
INTSUMINTSUM
INTSUMworldwidebranding
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
October2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikOctober2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikLANDESK
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37Felipe Prado
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices Ivanti
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tInfographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tSonatype
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikLANDESK
 
November2016 patchtuesdayshavlik
November2016 patchtuesdayshavlikNovember2016 patchtuesdayshavlik
November2016 patchtuesdayshavlikLANDESK
 
Google android security_2015_report_final
Google android security_2015_report_finalGoogle android security_2015_report_final
Google android security_2015_report_finalAndrey Apuhtin
 
May Patch Tuesday Analysis 2019
May Patch Tuesday Analysis 2019May Patch Tuesday Analysis 2019
May Patch Tuesday Analysis 2019Ivanti
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
August Patch Tuesday 2016
August Patch Tuesday 2016August Patch Tuesday 2016
August Patch Tuesday 2016LANDESK
 
Patch Tuesday Analysis - June 2016
Patch Tuesday Analysis - June 2016Patch Tuesday Analysis - June 2016
Patch Tuesday Analysis - June 2016Ivanti
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSSECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013qqlan
 

More Related Content

What's hot

PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
October2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikOctober2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikLANDESK
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37Felipe Prado
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices Ivanti
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tInfographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tSonatype
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikLANDESK
 
November2016 patchtuesdayshavlik
November2016 patchtuesdayshavlikNovember2016 patchtuesdayshavlik
November2016 patchtuesdayshavlikLANDESK
 
Google android security_2015_report_final
Google android security_2015_report_finalGoogle android security_2015_report_final
Google android security_2015_report_finalAndrey Apuhtin
 
May Patch Tuesday Analysis 2019
May Patch Tuesday Analysis 2019May Patch Tuesday Analysis 2019
May Patch Tuesday Analysis 2019Ivanti
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
August Patch Tuesday 2016
August Patch Tuesday 2016August Patch Tuesday 2016
August Patch Tuesday 2016LANDESK
 
Patch Tuesday Analysis - June 2016
Patch Tuesday Analysis - June 2016Patch Tuesday Analysis - June 2016
Patch Tuesday Analysis - June 2016Ivanti
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSSECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
 

What's hot (19)

INTSUM
INTSUMINTSUM
INTSUM
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
October2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikOctober2016 patchtuesdayshavlik
October2016 patchtuesdayshavlik
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tInfographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlik
 
November2016 patchtuesdayshavlik
November2016 patchtuesdayshavlikNovember2016 patchtuesdayshavlik
November2016 patchtuesdayshavlik
 
Google android security_2015_report_final
Google android security_2015_report_finalGoogle android security_2015_report_final
Google android security_2015_report_final
 
May Patch Tuesday Analysis 2019
May Patch Tuesday Analysis 2019May Patch Tuesday Analysis 2019
May Patch Tuesday Analysis 2019
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
August Patch Tuesday 2016
August Patch Tuesday 2016August Patch Tuesday 2016
August Patch Tuesday 2016
 
Patch Tuesday Analysis - June 2016
Patch Tuesday Analysis - June 2016Patch Tuesday Analysis - June 2016
Patch Tuesday Analysis - June 2016
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security Controls
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSSECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
 

Similar to ics-vulnerability-trend-report-final

G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013qqlan
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Hamilton
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportJames Gachie
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report Steve Fantauzzo
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
SolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxSolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxTusharPuri20
 
Symantec intelligence report august 2015
Symantec intelligence report august 2015Symantec intelligence report august 2015
Symantec intelligence report august 2015Symantec
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 

Similar to ics-vulnerability-trend-report-final (20)

G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013
 
chile-2015 (2)
chile-2015 (2)chile-2015 (2)
chile-2015 (2)
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security Report
 
Cisco asr-2016-160121231711
Cisco asr-2016-160121231711Cisco asr-2016-160121231711
Cisco asr-2016-160121231711
 
Cisco Annual Security Report
Cisco Annual Security ReportCisco Annual Security Report
Cisco Annual Security Report
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
 
SolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxSolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptx
 
Symantec intelligence report august 2015
Symantec intelligence report august 2015Symantec intelligence report august 2015
Symantec intelligence report august 2015
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 

ics-vulnerability-trend-report-final

  • 1. FIREEYE iSIGHT INTELLIGENCE CRITICAL LESSONS FROM 15 YEARS OF ICS VULNERABILITIES 2016 Industrial Control Systems (ICS) Vulnerability Trend Report OVERLOAD SPECIAL REPORT / AUGUST 2016
  • 2. CONTENTS Introduction 3 Key Judgments 4 Methodology 5 By the Numbers 5 ICS-Specific Vulnerability Disclosures Over Time 6 Stuxnet Drove Interest in ICS-Specific Vulnerabilities 6 Average Yearly Disclosures Likely to Increase, but Not 2015 Rate 6 Vulnerabilities by ICS Level 7 Most Disclosures Affect Level 2 Probably Due to Researcher Familiarity and Product Availability 8 Access to Level 2 Allows for a Threat Actor to Manipulate Processes 8 Patch Availability 9 More Than One-Third of ICS Vulnerabilities are Unpatched at the Time of Disclosure, a Trend Likely to Persist 9 ICS Vulnerabilities Exploited in The Wild 10 Exploitation of ICS-Specific Vulnerabilities to Accrue at Slow Rate 10 Sandworm Team Undermines Three Ukranian Electricity Distributors 10 Outlook 11 Recommendations 11
  • 3. In the past several years, a flood of vulnerabilities has hit industrial control systems (ICS) — the technological backbone of electric grids, water supplies and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking equipment used to automate and monitor the physical processes that keep our modern world running. INTRODUCTION Since 2000, FireEye iSIGHT Intelligence has identified nearly 1,600 publicly disclosed ICS vulnerabilities. Many of these are unpatched — and some are simply unpatchable due to outdated technology —providing open paths for adversarial exploitation. Nation-state cyber threat actors have exploited five of these vulnerabilities in attacks since 2009. Unfortunately, security personnel from manufacturing, energy, water and other industries are frequently unaware of their own control system assets, let alone the vulnerabilities that affect them. Organizations operating these systems are missing the warnings and leaving their industrial environments exposed. This report highlights trends in total ICS vulnerability disclosures, patch availability, vulnerable device type and vulnerabilities exploited in the wild. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 3
  • 4. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 4 The discovery of Stuxnet in 2010 drove interest in industrial control systems (ICS) vulnerability research. FireEye iSIGHT Intelligence counted just 149 ICS vulnerability disclosures that were made between January 2000 and December 2010. Through April 2016, we have counted 1,552. We anticipate this upward trend will continue. 58% Most (58%) of the 801 ICS-specific vulnerability disclosures since February 2013 dealt with Level 2 (L2) in the simplified Purdue ICS architecture model, which describes how manufacturing devices interface with computers. We surmise that this is because L2 software is easier to obtain than L1 devices and is more familiar to a greater number of vulnerability researchers. However, adversary access to L2 alone is generally sufficient for at-will interaction with the controlled process. Vulnerability patching presents a significant challenge. Of the 1,552 total vulnerability disclosures we examined, 516 (33%) had no vendor fixes. The lack of vendor fixes and slow patch times for most industrial environments presents a significant opportunity for potential adversaries. Through April 2016, at least five ICS-specific vulnerabilities have been exploited in the wild, a rate we anticipate will increase in the future. In light of these observations and trends, we recommend that ICS asset owners: • Prepare their security teams with an accurate understanding of control system assets, their locations, and functions. • Obtain structured vulnerability and patch feeds that cover a wide variety of sources. • Match the vulnerability disclosures and patch announcements against their asset inventory. • Track vulnerable and unpatched products currently used in their industrial environments. • Prioritize vulnerability remediation efforts by considering ICS architecture location, simplicity of exploitation and possible impact on the controlled industrial process. KEY JUDGMENTS
  • 5. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 5 For the purpose of this report, ICS-specific vulnerability disclosures consist of a vulnerability announcement where 1) a disclosing party specifically examined products intended to aid in the operation of an industrial process, and 2) exploitation of the vulnerability has a distinct impact on the controlled industrial process. • We do not count a disclosure unless it names a specific product. • We exclude general purpose operating systems, such as Microsoft Windows, even though human machine interfaces (HMIs), engineering laptops and supervisory control and data acquisition (SCADA) servers commonly use them. We also exclude database applications, such as Oracle and SQL Server, even though control system applications and historians commonly incorporate them. Parties disclosing vulnerabilities in these products have not generally done so with ICS in mind. • By the same reasoning, we excluded major third-party software vulnerabilities/attacks, including POODLE, Heartbleed, and Shellshock, though a variety of ICS-specific software exhibits these issues. • Further, if a researcher discloses a vulnerability that affects multiple products that have different uses in an industrial environment, and those uses lead to differing impacts on the controlled process, we count them separately. For example, if a researcher discloses a vulnerability in an OPC server (a type of process controller) library the vendor bundles into both a historian and an engineering workstation, we count this as two disclosures because successful exploitation can lead to distinct process impacts. • Additionally, we have not independently confirmed the accuracy of the disclosures or the efficacy of associated patches. METHODOLOGY 1,552 15 465 90 33 123 BY THE NUMBERS Number of ICS SPECIFIC VULNERABILITIES we analyzed YEARS OF DISCLOSURES in our research NUMBER OF DISCLOSURES impacting Level 2 of the simplified Purdue model, which typically includes SCADA systems PERCENTAGE OF VULNERABILITIES in our data set disclosed after Stuxnet emerged in media reports in mid-2010 PERCENTAGE OF VULNERABILITIES without a patch at time of disclosure TOTAL NUMBER OF VENDORS affected by vulnerability disclosures
  • 6. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 6 STUXNET DROVE INTEREST IN ICS-SPECIFIC VULNERABILITIES An examination of 1,490 ICS-specific vulnerability disclosures between 2000 and 2015 (see Figure 1) shows a sharp increase in 2011. We believe the media attention garnered by Stuxnet is the principal driver of the increase: • Stuxnetwas the first publicly recognized attack to exploit vulnerabilities in ICS products.1 Media coverage began in mid-2010 and continued for the next 18 months. • There was a general slow upward trend prior to 2010, which itself saw just 55 ICS vulnerability disclosures. • 2011 included 219 ICS vulnerability disclosures, representing a 300% growth from 2010. • Most (90%) of the vulnerabilities came after 2010, though that accounts for only one-third of the timeline. • While the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which coordinates vulnerability disclosures between researchers and vendors, formally launched in November 2009, may have had some effect on disclosure rates, we consider that effect secondary because CERT/CC effectively coordinated ICS- specific vulnerability disclosures before that date. ICS-SPECIFIC VULNERABILITY DISCLOSURES OVER TIME TWO -YEAR ROLLING AVER AGE AVERAGE YEARLY DISCLOSURES LIKELY TO INCREASE, BUT NOT AT 2015 RATE We identify another sharp increase from 2014 to 2015— when disclosures rose from 249 to 371, or by 49%. Prior to this (from 2011 to 2014), disclosures rose an average of just 4.7% annually. We anticipate that the average number of ICS-specific vulnerability disclosures will increase during the next several years at about the rate it did from 2011 to 2014 (5%) rather than the rate in 2015 (49%). We surmise that the 2015 increase represents an anomalous spike rather than a new threshold because 92 of the vulnerabilities were caused by two large groups of disclosures that vendors released at a single time: 56 from OSIsoft and 36 from Yokogawa.2,3 • The size of these vendor releases are anomalous in the data set. The next largest group of disclosures by a vendor was 12 in 2014. • Releasing a set of vulnerabilities — versus one-by-one as they are likely discovered — indicates that the vendor may be choosing to address them all at once rather than serially. Vendors may believe that a group and disclose approach enhances marketing of new releases, but we have yet to determine whether this approach is a trend. • We suggest the Yokogawa vulnerabilities may have been discovered simultaneously because they dealt with similar buffer overflows, but affected multiple products. 1 Keizer, Greg. “Is Stuxnet the ‘best’ malware ever?” Infoworld. 16 September 2010. http://www.infoworld.com/article/2626009/malware/is-stuxnet-the--best--malware-ever-.html 2 OSISoft. OSIsoft Releases Multiple Security Updates for the PI System. 11 August 2015. https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00289. 3 Yokogawa. Yokogawa Security Advisory Report. 10 September 2015. http://web-material3.yokogawa.com/YSAR-15-0003E.pdf 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 400 350 300 250 200 150 100 50 0 FIGURE 1: ICS -SPECIFIC VULNERABILIT Y DISCLOSURES BY YEAR
  • 7. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 7 FireEye iSIGHT Intelligence classifies ICS vulnerabilities by their location on a simplified Purdue ICS architectural model.4 The model (as shown in Figure 2) identifies six levels based on the device’s functions and location on the network. We classify industrial networking equipment (normally hardened to withstand harsh temperatures, vibration and dust) in another category. VULNERABILITIES BY ICS LEVEL SENSORS & ACTUATORS Actuators Sensors PLC & RTU PLC RTU DMZ App Server Historian Networking Devices Networking Devices Inter/Intranet Printer Workstation CORPORATE Senses process characteristics, such as temperature, pressure, and level; opens and closes valves; and turns pumps and motors on or off Uses sensor readings to send appropriate commands to actuators and motors SCADA Historian Other Engineering Workstation HMI Allows a human operator to supervise and control the physical process Makes data and applications from the control network available to users outside of the control network Meets general computing needs, including email, databases, and word processing Applications intended to provide remote ICS functionality relying on the public internet, such as mobile device apps Zone 0Zone 1 Zone 2 Zone 3Zone 4 FIGURE 2: SIMPLIFIED PURDUE MODEL OF AN INDUSTRIAL CONTROL SYSTEM 4 The Simplified Purdue model refers to a framework developed by researchers to describe the interconnectivity of computers to manufacturing systems.
  • 8. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 8 MOST DISCLOSURES AFFECT LEVEL 2 PROBABLY BECAUSE OF RESEARCHER’S FAMILIARITY WITH THE SYSTEMS AND THE PRODUCT’S AVAILABILITY About half (465 of the 801 vulnerability disclosures from February 2013 to April 2016) affect products at ICS architecture Level 2 (as shown in Figure 3). We believe Level 2 has received the most attention because: • Equipment in this level frequently relies on operating systems, databases, and other information technologies already familiar to vulnerability researchers; and • Technologies used at this level can be easily and inexpensively obtained by vulnerability researchers, such as limited-time, full-featured demonstration versions. FIGURE 3: ICS -SPECIFIC VULNERABILIT Y DISCLOSURES AFFECTING EACH LEVEL FROM FEBRUARY 2013 TO APRIL 2016 (VULNERABILITIES MAY AFFECT MORE THAN ONE ZONE) 500 400 300 200 100 0 ACCESS TO LEVEL 2 ALLOWS A THREAT ACTOR TO MANIPULATE PROCESSES Once an attacker has unrestricted access to Level 2, further exploits and vulnerabilities become less important because: • Devices that directly control the processes, such as HMI and engineering workstations, reside here. Like having a master key, controlling one of those devices gives attackers control of any connected processes. For example, as seen in the attacks on the Ukrainian power companies in December 2014, once attackers have access to the HMI, they can open and close switches and actuators at will without exploiting additional vulnerabilities. • Using unauthenticated protocols allows any computer connected to these networks to interact with the controlled process. For instance, the use of Modbus/TCP allows any device on the network to alter a set point within the process logic executed by the controller. Zone 0 Zone 1 Zone 2 Zone 3 Zone 4 Zone 5 Networking Devices
  • 9. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 9 PATCH AVAILABILITY MORE THAN ONE-THIRD OF ICS VULNERABILITIES ARE UNPATCHED AT THE TIME OF DISCLOSURE, A TREND THAT WILL LIKELY PERSIST Of the 1,552 total vulnerabilities we examined, 516 did not have a fix available at the time of public disclosure (as shown in Figure 4). This means that 33% were zero- day vulnerabilities. While early indications for 2016 appear to depart from this number, we doubt this percentage will change significantly in the near future. Figure 4 shows ICS-specific vulnerabilities between January 2010 and April 2016 with a fix available at the time of release and illustrates that the portion of disclosures without a fix has remained fairly constant after 2010. We think several factors may be contributing to the lack of patches: • Researchers did not disclose the vulnerability to the vendor prior to releasing information about it publicly • Vendors did not respond to researcher in a timely way, prompting the researcher to disclose • Vulnerabilities could not be (easily) fixed • Vendors consider vulnerable device end-of-life FIGURE 4: ICS -SPECIFIC VULNERABILITIES SINCE 2010 SHOWING FIX AVAIL ABILIT Y AT TIME 2010 2011 2012 2013 2014 2015 2016 400 350 300 250 200 150 100 50 0 FIXED UNFIXED 1/3OF ICS VULNERABILITIES ARE ZERO DAYS, A TREND LIKELY TO PERSIST
  • 10. SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 10 5 Symanec. “W32.Stuxnet Dossier.” February 2011. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. P. 50. 6 Symanec. “W32.Stuxnet Dossier.” February 2011. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. P. 26. 7 General Electric. “GE Intelligent Platforms Product Security Advisory.” 28 October 2014. https://ge-ip.force.com/communities/servlet/fileField?retURL=%2Fcommunities%- 2Fapex%2FKnowledgeDetail%3Fid%3DkA21A000000LW4dSAG%26lang%3Den_US%26Type%3DArticle__kav&entityId=ka21A000000PTSeQAO&field=File_1__Body__s. 8 U.S. Department of Homeland Security. ICS-CERT. “Alert (ICS-Alert-14-281-01E).” 10 December 2014. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B. 9 U.S. Department of Homeland Security. ICS-CERT. “Advisory (ICSA-16-152-01).” 31 May 2016. https://ics-cert.us-cert.gov/advisories/ICSA-16-152-01. 10 U.S. Department of Homeland Security.” “IR-ALERT-H-16-043-01AP CYBER-ATTACK AGAINST UKRAINIAN CRITICAL INFRASTRUCTURE.” 7 March 2016. http://www.eenews. net/assets/2016/07/19/document_ew_02.pdf. 11 U.S. Department of Homeland Security. “Advisory (ICSA-16-138-01).” 17 May 2016. https://ics-cert.us-cert.gov/advisories/ICSA-16-138-01. ICS VULNERABILITIES EXPLOITED IN THE WILD EXPLOITATION OF ICS-SPECIFIC VULNERABILITIES TO ACCRUE AT SLOW RATE We note that all five instances in which ICS-specific vulnerabilities were exploited can be reasonably tied to nation-state actors. Four of the five — Stuxnet and the attacks in Ukraine — can be tied to direct geopolitical objectives. The success of these incidents in compromising key systems to achieve a political objective or demonstrating an adversary’s capabilities makes us expect that nation-state adversaries will increasingly exploit ICS-specific vulnerabilities. SANDWORM TEAM UNDERMINES THREE UKRAINIAN ELECTRICITY DISTRIBUTORS IN LATE 2015 On Dec. 23, 2015, three Ukrainian electricity distributors found themselves at ground zero for ICS security. A cyber threat group — that we strongly believe is the suspected Russia-based Sandworm Team — had invaded systems and triggered power outages across three regions in western Ukraine. The attackers systemically shut down the flow of electricity by manipulating distribution system dispatcher HMIs — the applications that grid operators use to control the flow of power to homes and businesses. After shutting down the power, attackers exploited two previously unknown vulnerabilities in control systems networking gear to inhibit the utilities’ ability to restore power and maintain control of the grid. While ICS vulnerability disclosures were influenced by Stuxnet, we have not observed a corresponding increase in ICS vulnerability exploitation. We are aware of five ICS-specific vulnerabilities exploited in the wild (as shown in Figure 5). In addition, given the growth in researcher interest, we surmise that many other ICS-specific vulnerabilities have been exploited in the past, but have not been made public. VULNERABILITY TITLE ATTACK KNOWN VICTIMS EXPLOITED VULNERABILITY DISCLOSED PATCH RELEASED Siemens Simatic S7 DLL loading mechanism vulnerability5 Stuxnet NEDA Industrial Group, Natanz, Iran July 2009 June 2010 September 2011 Siemens WinCC insecure SQL Server authentication6 Stuxnet NEDA Industrial Group, Natanz, Iran July 2009 June 2010 July 2012 GE Cimplicity Path Traversal7,8 Attributed to the Sandworm Team Various January 2012 June 2012 December 2013 Moxa UC-7408-LX Plus unauthenticated firmware9,10 Attributed to the Sandworm Team Kyivo-blenergo Energy Distribution Facility, Ukraine December 2015 May 2016 Product Discontinued IRZ RUH2 3G unauthenticated firmware11 Attributed to the Sandworm Team Prykarpattya-oblenergo Energy Distirbution Facility, Ukraine December 2015 May 2016 N/A FIGURE 5: FIVE ICS VULNERABILITIES EXPLOITED IN THE WILD
  • 11. OUTLOOK In summary, our research supports the following expectations: • ICS vulnerability disclosures will continue to rise during the coming years at an average close to 5%, with occasional spikes or drops. • Media coverage of significant events in ICS security, either attacks or research, will likely continue to fuel the vulnerability disclosure rate. • The majority of disclosures will consist of vulnerabilities affecting Level 2 of the simplified Purdue model. • While ICS-specific vulnerabilities may not be required to access, manipulate or impact industrial processes, reports of ICS-specific vulnerabilities exploited in the wild will slowly accrue. The flood of vulnerabilities is likely to overwhelm ICS asset owners as they struggle to keep up with vulnerability notifications, assess associated risk, and implement mitigation. To ensure effectiveness and efficiency in dealing with ICS vulnerabilities, FireEye recommends that ICS asset owners: • Prepare their security teams with an accurate understanding of control system assets, their locations, and functions. • Obtain structured vulnerability and patch feeds that cover a wide variety of sources. • Match the vulnerability disclosures and patch announcements against their asset inventory. • Track vulnerable and unpatched products currently used in their industrial environments. • Prioritize vulnerability remediation efforts by considering ICS architecture location, simplicity of exploitation, and possible impact on the controlled industrial process. RECOMMENDATIONS SPECIAL REPORT / 2016 ICS VULNERABILITY TREND REPORT 11
  • 12. FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 / 877.FIREEYE (347.3393) / info@FireEye.com www.FireEye.com To download this or other FireEye iSight Intelligence reports, visit: www.fireeye.com/reports.html © 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.