My hope in attending WEIS is to learn of new methods for applying security economics to the ICS world. One area of interest is a model to explain the increase in ICS reported vulnerabilities and predict and profile future vulnerabilities.
Two models were raised in a paper on software vulnerabilities not following the standard model, which met with a number of audience objections. These are new to me so please excuse any technical errors. It is something I plan on investigating further.
This is based on a biological model related to the spread of disease. The extension to cyber security vulnerabilities is once a new type of attack is successful on patient zero, it will be tried on other similar software or systems. The more systems that are susceptible to this attack, the more the attack methodology will spread.
Billy Rios and Terry McCorkle are a good and simple example. They found a HMI vulnerable to form field fuzzing and Active X fuzzing, then another, and then another. They decided to expand this and tested 76 products with the same tool finding 665 bugs. 75 of the bugs were easily exploitable. Luigi Auriemma is another example where he runs his tools against products and finds vulns. Perhaps when all products are infected or immune he will move to identify a new attack
It doesn’t have to be the same attacker for contagion to occur. In fact multiple attackers speed the spread of the attack/infection. The data for this is more visible in the broader IT space. When a new type of attack is developed and demonstrated on a specific target, it is learned and repeated by other attackers.
Contagion is ominous when you consider Stuxnet with Natanz being patient zero.
Prey / Predator Model
The prey / predator theory also seems to explain the increase in ICS vulns, both on the total number of ICS vulnerabilities and vulnerabilities on products. ICS was relatively unknown by the hacker/researcher community until the last two years. The prey had few predators and perhaps that allowed very weak prey to thrive in market share.
I’m not sure if the prey/predator model deals with weak prey, but ICS is definitely considered an easy kill. Hackers/researchers/adversaries have learned that ICS protocols lack authentication, systems have hard coded passwords and backdoors, poor protocol stacks, … access and a bit of effort leads to multiple vulnerabilities. The notoriety, potential consequence of the vulnerability and other motivations have lead to an increase in predators.
It’s not just ICS as a whole; it can be narrowed down to vendors and products. When a product is found to suffer from a vulnerability that indicates basic and trivial security measures were not followed, other predators assume there are more vulns and attack. You can see this with the 29 disclosed Iconics vulns or the 28 Siemens vulns. A single simple vulnerability in an ICS product is a harbinger of many more to come.
Looking forward to exploring this in more detail, and it would be great if some grad student wanted to pursue this work.
Image by jurvetson