Independent cybersecurity researchers found nearly double the number of vulnerabilities in supervisory control and data acquisition (SCADA) systems in the first six months of 2018 as they did in the first half of 2017, according to a new report by Japanese multinational Trend Micro, amid rising concerns about infrastructure security.
The 202 holes spotted in such industrial control systems are not necessarily a bad thing – they are being disclosed because vendors are engaging in bug bounty programs, which pay out to security researchers who can find flaws in their software or hardware potentially exploitable by a malicious hacker.
Commenting on this news, Andrea Carcano, Co-Founder and CPO, Nozomi Networks, said:
“While its reassuring to know that vulnerabilities in SCADA systems are being discovered, the reality is that this is just a small proportion of what actually exists.”
“While enterprise vulnerability assessments and bug bounty programs have been mainstream for many years, in SCADA systems there simply hasn’t been the same scrutiny. These are complex, legacy, environments that were designed to function in isolation when security was an ideal rather than the necessity it is today.
“From our own research, and using open source tools in a limited time period to create a security testing and fuzzing tool, we were able to identify eight zero-day vulnerabilities within PLCs affecting a number of vendors – including Wago, Siemens, Schneider, Emerson and GE. The discovery time was as little as a few hours, although some took significantly longer to be identified. In all cases, the tool found at least one vulnerability per device, but other issues related to the management software were also discovered in three devices (Wago Ethernet Settings, Siemens TiaPortal, and CodeSys.)
“It’s not surprising then that, according to a Business Advantage report, three out of four ICS customers expect a cybersecurity attack will happen to them. We’ve seen a few incursions materialise already and, with criminals’ attention turning to these systems as confirmed by various government agencies – including the UK’s NCS and the US’ FBI and DHS, the threat of a devastating attack is very real.
“Thankfully, as more vulnerabilities and security issues are brought into the open, a larger cyber security community is forming that is sharing its expertise and knowledge with a common goal – to identify, raise awareness, and provide solutions to cybersecurity challenges. In addition, the innovation and implementation of advanced cybersecurity technologies, such as machine learning and artificial intelligence, are an important step toward safe and reliable critical infrastructure.”