In 2008 DHS issued the first edition of Common Cybersecurity Vulnerabilities in Industrial Control Systems based on 15 ICS security assessments of either products or deployed systems they performed from 2004 to 2008. They just released an update to this document that includes data from three more product assessments from 2009 – 2010. The number is surprisingly small, but the DHS/INL assessments typically are deep dives with the test system actually being deployed in Idaho Falls.
The report also integrates data from ICS-CERT and as well as owner/operator self assessments results from the DHS/INL Cyber Security Evaluation Tool (CSET). This is the key paragraph from the Executive Summary:
The highest percentage of vulnerabilities identified in ICS product assessments continues to be improper input validation by ICS code. Poor access controls—credentials management and security configuration—were the second most common security weakness identified in new ICS software in 2009–2010. Authentication weaknesses follow in third place. However, vulnerabilities reported from the previous CSSP ICS product assessments include more patch management problems than the more recent findings.
The input validation vulnerabilities are why you see control systems crash when scanned or when the control system application ports are fuzzed. The vendors tested that the application worked when proper data was received, but they often failed to perform negative testing and the application did not handle errors or unexpected data gracefully.
Hopefully this will improve significantly with newly developed systems. We are aware of a number of vendors that have integrated fuzz testing into the SDL and QA processes either through home grown fuzzers or products from Wurldtech or Mu Dynamics.
This is a quality, 76-page report from DHS full of charts and graphs. I do have concerns that the graphs may be misleading because of the relatively small number of data points. Even the existing data is biased by the method of collection. For example Figure 3 has a bar chart with the vulnerabilities identified in INL/DHS assessments and ICS-CERT disclosures divided into eight categories for 2004-2008 and 2009-2010. The data source heavily biases this information.
Consider that INL/DHS performed only 3 assessments in the 2009-2010 data and the ICS-CERT disclosures are coming almost exclusively from HMI/EWS that are often on the low cost side — not those widely used in the larger SCADA and DCS. This information may not be representative to a pipeline or electric transmission SCADA system.
With those caveats, this report has the best information available by far. It is the leading reference document for ICS security statistics; just recognize that we have a long way to go in data collection and statistical analysis in this space.
Image by inju