Many of the industrial technologies powering the critical infrastructure that underpins modern society are enabled and controlled by Supervisory Control and Data Acquisition (SCADA) systems. Like all forms of technology, SCADA has its share of security vulnerabilities.
According to a report from Trend Micro’s Zero Day Initiative (ZDI), there were more than 250 security vulnerabilities reported in SCADA Human Machine Interfaces (HMI) from 2015 to 2016. Human Machine Interfaces (HMI) provide the link between SCADA systems and their human operators.
ZDI is in the business of paying security researchers for vulnerabilities and operates the annual Pwn2Own hacking competition which awarded $823,000 at its March 2017 event. It’s not entirely clear how much ZDI paid for the 250 SCADA HMI vulnerabilities that it has acquired.
“We are not in a position to provide specific numbers, but prices vary based on the popularity of the target, the severity of the issue and the quality of the report,” Dustin Childs, director of communication for ZDI, told eWEEK.
The Trend Micro ZDI analysis found that most of the SCADA HMI vulnerabilities fit into a few areas including memory corruption, poor credential management, lack of authentication/authorization, insecure defaults and code injection bugs. Lack of authentication and authorization with insecure defaults is a category of flaws that represented 23 percent of the SCADA HMI vulnerabilities analyzed by ZDI. Code injection vulnerabilities represented 9 percent of identified vulnerabilities.
“I’m not sure if surprised is the right word for it, but it was definitely interesting to see many types of bugs in SCADA systems that were found in desktop applications a decade ago,” Childs said. “Things like memory corruption, insecure defaults, and the use of banned APIs should have been discovered with code audits or secure development practices.”
Time to Patch
While software defects happen in all forms of code, what is equally important to limiting flaws from appearing in the first place, is quickly patching vulnerabilities when they are found.
ZDI’s analysis found that the average time between when a bug is disclosed to a SCADA vendor, to the time the vendor release a patch, is 150 days. ZDI noted that on average, SCADA vendors take 30 days more than Microsoft or Adobe, to release a patch after a vulnerability has been disclosed.
Though patching is an important component of helping to improve SCADA HMI system security, there are other steps that operators can take to reduce risk.
“It’s important to isolate these systems as much as possible, but at the same time, treat them as though that isolation will be violated at some point,” Childs said. “SCADA developers can take a note from operating system and web application developers in implementing secure development practices as these systems become more and more connected.”