ZDI Reveals State of SCADA Human Machine Interface Vulnerabilities | eWeek

Trend Micro Reveals State of Human Machine Interface Vulnerabilities

Trend Micro ZDI
May 26, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Many of the industrial technologies powering the critical infrastructure that underpins modern society are enabled and controlled by Supervisory Control and Data Acquisition (SCADA) systems. Like all forms of technology, SCADA has its share of security vulnerabilities.

According to a report from Trend Micro’s Zero Day Initiative (ZDI), there were more than 250 security vulnerabilities reported in SCADA Human Machine Interfaces (HMI) from 2015 to 2016. Human Machine Interfaces (HMI) provide the link between SCADA systems and their human operators.

ZDI is in the business of paying security researchers for vulnerabilities and operates the annual Pwn2Own hacking competition which awarded $823,000 at its March 2017 event. It’s not entirely clear how much ZDI paid for the 250 SCADA HMI vulnerabilities that it has acquired.

“We are not in a position to provide specific numbers, but prices vary based on the popularity of the target, the severity of the issue and the quality of the report,” Dustin Childs, director of communication for ZDI, told eWEEK.

The Trend Micro ZDI analysis found that most of the SCADA HMI vulnerabilities fit into a few areas including memory corruption, poor credential management, lack of authentication/authorization, insecure defaults and code injection bugs. Lack of authentication and authorization with insecure defaults is a category of flaws that represented 23 percent of the SCADA HMI vulnerabilities analyzed by ZDI. Code injection vulnerabilities represented 9 percent of identified vulnerabilities.

“I’m not sure if surprised is the right word for it, but it was definitely interesting to see many types of bugs in SCADA systems that were found in desktop applications a decade ago,” Childs said. “Things like memory corruption, insecure defaults, and the use of banned APIs should have been discovered with code audits or secure development practices.”


Time to Patch

While software defects happen in all forms of code, what is equally important to limiting flaws from appearing in the first place, is quickly patching vulnerabilities when they are found.

ZDI’s analysis found that the average time between when a bug is disclosed to a SCADA vendor, to the time the vendor release a patch, is 150 days. ZDI noted that on average, SCADA vendors take 30 days more than Microsoft or Adobe, to release a patch after a vulnerability has been disclosed.

Though patching is an important component of helping to improve SCADA HMI system security, there are other steps that operators can take to reduce risk.

“It’s important to isolate these systems as much as possible, but at the same time, treat them as though that isolation will be violated at some point,” Childs said. “SCADA developers can take a note from operating system and web application developers in implementing secure development practices as these systems become more and more connected.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.