For the fourth year in a row, researchers have discovered and reported more than 150 vulnerabilities in industrial control systems (ICSes), demonstrating that the critical systems continue to attract attention, according to an analysis conducted by Kaspersky Lab.
In 2015, researchers found and reported 189 vulnerabilities, a slight increase from the 181 vulnerabilities found in 2014. More than two-dozen of the flaws had publicly available exploits that would make it trivial to compromise vulnerable systems. Many issues—such as hard-coded passwords—do not even require an exploit, Kaspersky stated in its report.
The problems are “only the tip of the iceberg,” Gleb Gritsai, security expert at Kaspersky Lab, wrote in an email response to an eWEEK inquiry.
“The number of vulnerabilities in ICSes is a ‘sneak preview’ of the real situation,” he said, adding that most of the vulnerabilities were found during consulting projects involving the IC systems. “Currently, ICSes are not even close to [attracting the level of] attention that IT products get from the security community.”
Industrial control systems have become a fertile field of research for many attack-minded researchers and companies. For most of the first decade of this century, researchers only reported a handful of vulnerabilities each year. In 2010, as interest increased in the security of ICSes, so did the number of vulnerabilities, jumping to 19 issues reported that year and 69 the following year.
In 2012, the number of issues reached a much higher level, with 192 security flaws found in ICS software and devices that year, according to Kaspersky’s analysis of public data. For the next three years, the number of reported vulnerabilities varied from 158 to 189.
The vulnerabilities occurred in a wide variety of devices from more than 55 manufacturers.
The issues are not theoretical, either. While about 85 percent of the issues have been patched, more than 220,000 vulnerable devices are accessible through the Internet, according to a search conducted by Kaspersky using the Shodan port-scanning search service. The United States has the most vulnerable devices, with about 57,000 devices accessible through the Internet. Germany, Spain, France and Italy round out the top 5 nations, accounting for nearly half of all vulnerable devices.
It is hard to gauge the impact of the vulnerabilities on these systems as the exact details of any particular installation are not known, Gritsai said.
“On the other hand, an actor without legal constraints who can gather the same data with more intrusive techniques will likely reveal this information in a matter of hours or days,” he added.
While researchers have increasingly focused on finding vulnerabilities in ICSes, many devices are hard to obtain for testing, which has hobbled efforts. In addition, vulnerabilities are only one aspect of the security weaknesses typically found by researchers in these systems. Misconfigurations and insecure settings are not considered vulnerabilities per se, but still leave the systems at risk, Gritsai said.
“Lack of authentication or user access control is not a vulnerability that gets [a] CVE [Common Vulnerabilities and Exposures rating]; it’s an architectural weakness,” he said. “All this shows how ICSes are much more exposed to malefactors than the data in our report [suggest].”