The activity of disclosed ICS vulnerabilities has increased gradually over the years and significantly since Stuxnet. A quick look at the last five products with published vulns on ICSCERT leads to two easy conclusions:
- The security community is locating free trial “SCADA” software and not shockingly finding easily exploitable vulnerabilities since security was not a design criteria or serious consideration in development.
2. The software being exploited are primarily low cost HMI or visualization software that are add-ons to larger systems or used in small processes. Again this is what the security community can easily gain access to.
What is not happening is a significant post-Stuxnet increase in disclosed vulnerabilities in the larger systems from ABB, AREVA, Emerson, Honeywell, Telvent, Yokogawa … The most likely reason for this is it is hard for someone with an interest in identifying and disclosing vulnerabilities getting access to these solutions unencumbered by a NDA.
A secondary reason is some of the larger vendors have had multi-year efforts at integrating security into the SDL. So the low-hanging fruit is gone, but even the large system vendors know that there are vulns in there complex software solutions, like every software solution.
So what is the advice? Vendor’s in the ICS space should assume that any free demo or trial software is either being tested now or in the near future. Easily found vulnerabilities will be identified and disclosed. Eliminating the free trial is a business decision, but the more likely vulnerability disclosure is another factor in that decision.
One last comment – – since the increase in ICS vulns we have stopped covering each vuln in this blog. It is no longer a novel event, and not the purpose of the blog. If you want that info you should subscribe to ICS-CERT. We may put up a page in the near future with some summary information, but will only blog if the vuln has some unique aspect or impact.