SCADA Security in numbers

Nuclear and hydroelectric power stations, oil and gas pipelines, factories, transportation networks (metro and high-speed trains), as well as many other systems vital to humanity, are controlled by various computer technologies.

A wide interest in the security of industrial systems has arisen after a series of incidents with the Flame and Stuxnet viruses, which became the first signs of the cyber war era. In Russia, there is one more reason to pay attention to the security of such systems - the new requirements of regulators aimed at improving the safety of process control systems (ICS / SCADA / PLC).

To select adequate security measures, it is necessary to understand what capabilities a cybercriminal possesses and what attack vectors he can use. To answer these questions, Positive Technologies experts conducted an ICS / SCADA safety study. Results under the cut.

The object of the study was the vulnerabilities discovered from 2005 to October 1, 2012. Briefly based on the results of the analysis, several facts can be noted:

• Over several months of 2012, more ACS TP vulnerabilities were found than over the entire previous year: their number is growing rapidly.
• Problems, as always, are found in the most popular products, and about 65% of vulnerabilities are serious or critical.
• The USA and Europe are leaders in the number of ICS systems available from the Internet, while 40% of all SCADA systems accessible from outside are vulnerable and can be hacked.
• Most of the security problems of ICS systems accessible from the Internet are associated with configuration errors (for example, standard passwords) and lack of updates.

But first things first.

The demand for industrial control systems in Russia

It is possible to approximately represent the shares of various manufacturers on the market of process control systems by assessing the demand for specialists with experience in working with a particular system, protocol, technology or program. As a basis for the analysis was taken statistics database of vacancies hh.ru . The most sought-after specialists were those with experience working with Siemens solutions. Four of the six most common products belong to the Siemens SIMATIC family:

• Step 7 - development of automation systems based on PLC (about 22.05%),
• WinCC and WinCC Flexible - creating a human-machine interface (18.11% and 3.94%, respectively),
• PCS 7 - building complex automation systems (7.87%).

Wonderware's InTouch HMI (12.6%) and Iconics Genesis software package (5.51%) are also among the top five.



If we consider data transfer technologies, the most popular of them are Modbus (RTU and TCP / IP) and Profibus / Profinet, which occupy about 33% each. Next comes OPC (25%).

Among all the operating systems used with ACS TP, Microsoft Windows leads by a wide margin, experience with which is required in most advertisements in this area. Knowledge of QNX and FreeRTOS are indicated in only a small number of vacancies.

In the segment of programmable logic controllers (PLCs, PLCs), they are most often looking for specialists in Siemens solutions (approximately 31%). The following are Schneider Electric (11%), ABB (9%), Allen-Bradley (7%) and Emerson (5%) products.

Vulnerability analysis

Vulnerabilities are often published without coordination with the developers, so for our research we used data from various sources, such as vulnerability knowledge databases and vendor notifications, exploit packs, reports of specialized events, publications on thematic sites and blogs .

It is interesting to note that between 2005 and the beginning of 2010, only 9 vulnerabilities were discovered in the ICS systems, and after the appearance of the Stuxnet worm and the ensuing hype in 2011, 64 vulnerabilities were found. In the first eight months of 2012, 98 new vulnerabilities became known: this is more than in all previous years.

The largest number of vulnerabilities (42) during the reporting period was found in the components of the automated process control systems manufactured by Siemens. In second place are the Broadwin / Advantech systems (22). On the third - Schneider Electric (18). A similar picture in the case of automated process control systems, as in general in information technologies, is explained by the fact that the greatest number of vulnerabilities is found in the most common solutions. In addition, a number of manufacturers have only recently begun actively engaged in the search and elimination of vulnerabilities in their products (an example is Siemens ProductCERT ).

Vulnerabilities by type of software and hardware components of ICS

Of greatest interest to cybercriminals are such components of automated process control systems as SCADA and the Human Machine Interface (HMI), in which 87 and 49 vulnerabilities were detected, respectively. In the programmable logic controllers of various manufacturers during the reporting period, 20 vulnerabilities were found.

Types of Vulnerabilities

Almost a third of vulnerabilities (36%) are related to buffer overflow (Buffer Overflow). This security problem allows an attacker to not only cause the program to crash or freeze, which leads to a denial of service, but also to execute arbitrary code on the target system. If we add up all types of vulnerabilities, the exploitation of which allows the hacker to run code execution (for example, buffer overflows, remote code execution), then we get about 40% of all vulnerabilities. It is worth noting a large number of problems with authentication and key management (Authentication / Key Management) - almost 23%.

The share of automated process control vulnerabilities

Most security flaws (81%) were promptly eliminated by manufacturers — even before information about them became widely known, or within 30 days after uncoordinated disclosure of information. However, approximately every fifth vulnerability was “closed” with a serious delay, and in some cases it was not eliminated.

A clear idea of ​​how serious the problems of information security are various manufacturers of process control systems gives the share of "closed" vulnerabilities. For example, Siemens fixed and released updates for 98% of vulnerabilities, while Schneider Electric eliminated only a little more than half (56%) of the detected problems.

Availability of information or software for an attack

Having a ready-made tool for exploiting a vulnerability or information about it in the public domain significantly increases the likelihood of a successful attack. At the moment, for 35% of all vulnerabilities presented in ACS TP, there are exploits that are distributed as separate utilities, are part of the software packages for pentests, or are described in vulnerability notifications. A similar indicator for other IT systems is many times less.

Typically, the number of published vulnerabilities correlates with the number of published exploits. Between the beginning of 2011 and September 2012, 50 exploits were published - six times more than in the six years from 2005 to 2010.



The relatively small number of exploits that appeared in 2012 is due to two factors:

• streamlining the relationship between process control manufacturers and researchers, a policy of responsible disclosure;
• the traditional delay between the publication of the vulnerability and the release of the exploit (its development requires additional costs).

The degree of risk of detected vulnerabilities

Almost 65% of all vulnerabilities are classified as high (CVSS v. 2 Base Score> 6.5) or critical risk (exploit is available).


However, the absence of a known method of attack realization reduces the likelihood of an attack, but does not completely exclude it, since cyber attacks on industrial facilities are carried out with the participation of experienced high-level specialists, who often simply do not need “exploit packs” and other popular tools.

Unresolved ACS vulnerabilities

Vulnerabilities for which there is already an exploit, but a patch has not yet been released, pose the greatest danger, since an attacker does not need deep knowledge and long preparation to penetrate the system. Any student who decides to misbehave can cause enormous damage. The worst situation here is for Schneider Electric ICS products: 6 open vulnerabilities were discovered. In the second place is General Electric (three vulnerabilities), Advantech / Broadwin and Rockwell Automation shared the third place - they each have one open vulnerability.

The prevalence of ICS systems on the Internet

To understand the extent to which all of these vulnerabilities could be exploited by an attacker, an Internet study was conducted on the subject of the presence of vulnerable ICS systems. Search and verification of system versions was carried out by methods of passive analysis using search engines (Google, Yahoo, Bing) and specialized knowledge bases, such as ShodanHQ, Every Routable IP Project. The information received was analyzed in terms of the presence of vulnerabilities related to configuration management and installation of updates.

Almost a third of ICS systems, to the elements of which there is access from the Internet, are located in the USA (31.3%). Italy takes the second place by a wide margin (6.8%), South Korea closes the top three (6.2%). Russia ranks 12th with 2.3%, and in the PRC there are only 1.1% of all ICS systems visible from the global network.



The results are expected, since the number of available systems directly depends on the degree of automation of the infrastructure.

Types of industrial control systems

Most often, various components of SCADA-systems (including HMI) are present in the global network. They account for 70% of all detected objects. Another 27% of the available ICS components are programmable logic controllers. In 3% of cases, various network devices were found that are used in the networks of automated process control systems (Hardware).

Types of Vulnerabilities

The most common security flaws (identified in 36% of cases) are related to configuration errors. Included are incorrect password policies (for example, the use of standard engineering passwords), access to critical information, erroneous delimitation of powers. A quarter of the vulnerabilities are related to the lack of necessary security updates.



The proportion of vulnerable ICS systems in various countries and regions The
largest number of vulnerable ICS systems that are “visible” from the Internet are in Switzerland (100%). Next is the Czech Republic (86%), followed by Sweden (67%). In Russia, exactly half of the ACS TP systems accessible from the outside are vulnerable.

The least concern is the safety of process control systems in Europe: 54% of industrial automation systems are vulnerable in this region. In second place is North America (39%), then Asia (32%), where unsafe facilities in Taiwan and South Korea play a significant role.