Story image

Industrial control component vulnerabilities up 30%

18 Apr 2019

The number of new vulnerabilities in industrial control systems (ICS) grew by 30% between 2017 and 2018, according to Positive Technologies.

The US still has a lead in the number of Internet-accessible ICS components, with 95,661 IP addresses for ICS components found in 2018 compared to 64,287 in 2017.

In the UK, the number of devices discoverable on the Internet nearly doubled from 4,240 to 7,874 in the same time frame.

More than 220,000 ICS components are discoverable online, which is 27% higher than in 2017.

The vulnerable systems are mainly located in the US (95,661), Germany (21,449), China (12,262), France (11,007), Italy (9,918), and Canada (9,580).

Positive Technologies warns organisations to be wary of the availability of network devices on the Internet, such as industrial Ethernet switches or Ethernet media converters, and the risks it presents. 

Yet, in 2017, the share of Internet-accessible network devices grew from 5 to 13%, rising to 19% in 2018.

Approximately 30,000 Honeywell devices were detected online, and the company remains in the lead for the number of Internet-available components.

For the second year in a row, Schneider Electric had the highest number of new vulnerabilities (69 vulnerabilities in 2018), despite the fact that the number of vulnerabilities found in Siemens equipment almost doubled compared to the previous year, reaching 66.

The high number of vulnerabilities within the equipment of these two companies can be explained by the popularity of their product lines.

In total, 257 vulnerabilities were detected in ICS components in 2018, which is 30% higher than in 2017.

The share of critical and high-severity vulnerabilities increased by 17%.

Fifty-eight percent of vulnerabilities allow attackers to have more than one impact on a device, compromising its confidentiality, integrity, and availability.

In only four percent of cases, the difficulty of attack was assessed as high.

In other words, attackers do not usually require any special conditions to disrupt the security of ICS elements.

About 75% of vulnerabilities have the potential to affect ICS availability in full or part.

The exploitation of these vulnerabilities, for example in network equipment, could disturb a target's operation by disrupting command transfer between components.

A significant share of vulnerabilities involves improper authentication or excessive privileges. More than half of these vulnerabilities (64%) can be exploited remotely.

Positive Technologies Industry and SCADA research analyst Paolo Emiliani says, “In 2018, we saw that industrial processes can be affected not only by targeted malware, such as Triton cyberweapon, but also by attacks against IT infrastructure.”

In March, LockerGoga ransomware disrupted the operation of Norsk Hydro, a large aluminium manufacturer.

In 2017, the WannaCry virus triggered an alarm within Boeing and shut down several plants of Taiwan Semiconductor Manufacturing Company.

It means that even ordinary viruses can affect a target's operations online.

“That is why Positive Technologies keeps on highlighting the importance of complex protection of industrial companies, which includes separation of technological, corporate, and external networks, timely security updates, and regular analysis of ICS security to detect potential attack vectors,” says Emiliani.

Positive Technologies says that on average, vendors take a long time to fix vulnerabilities - more than six months.

The elimination of some vulnerabilities (measured by the time period from vendor notification to release of a patch) can take more than two years.

For end users, such protracted responses increase the risk of exploitation of device vulnerabilities.

Chillisoft rounds out portfolio with file integrity vendor
Tripwire is the fourth vendor for Chillisoft in six months, adding critical security controls, vulnerability management and file integrity monitoring.
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Optic Security Group celebrates Axis accolade
Auckland-based business security systems provider Fortlock has picked up an award at Axis Communications’ annual Oceania Axis Partner Summit 2019.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.