UPDATED 01:24 EDT / JULY 14 2016

NEWS

Industrial Control Systems remain vulnerable to security flaws

More than 150 vulnerabilities have been identified and reported in industrial control systems (ICS’s) for the fourth consecutive year, highlighting once again how attractive such critical systems are to attackers, found a new study by Kaspersky Lab.

Kaspersky’s researchers found and reported 189 unique vulnerabilities in 2015, slightly up from the 181 vulnerabilities discovered in 2014. More worrying is the finding that more than two-dozen of those flaws had publicly-available exploits that make it easy-peasy to compromise those systems. And numerous other issues, such as hard-coded passwords, are vulnerable even without an exploit.

Gleb Gritsai, a security expert at Kaspersky Lab, told eWeek that the problems his team discovered are just the “tip of the iceberg”. He said the number of vulnerabilities found in ICS’s were just a sneak preview of the true situation, pointing out that ICS’s attract much less attention from security experts than IT products.

Industrial control systems have nonetheless grown more attractive to attackers in the last few years. Back in the 2000s, researchers only ever discovered a few vulnerabilities in ICS’s each year, but the number found from 2010 onwards has risen dramatically. In 2010, 19 vulnerabilities were discovered, followed by 69 found in 2011, and 192 flaws found in 2012.

Those vulnerabilities occurred in a wide range of devices, built by 55 different manufacturers.

What’s worse is that those vulnerabilities are there for all to see. While 85 percent of the vulnerabilities discovered last year have now been patched, Kaspersky still managed to discover around 220,000 vulnerable devices that can be accessed over the Web, found using the Shodan search engine service. The majority of vulnerable devices (57,000) were found in the U.S., followed by Germany, Spain, France and Italy.

Gritsai told eWeek that it’s not easy to know what kind of impact these vulnerabilities have had, as Kaspersky doesn’t know the exact details of each installation. However, Gritsai pointed out that vulnerabilities are not the only concern in industrial control systems, because misconfigurations and insecure settings can also leave systems at risk, even though they aren’t considered a vulnerability as such.

“Lack of authentication or user access control is not a vulnerability that gets [a] CVE [Common Vulnerabilities and Exposures rating]; it’s an architectural weakness,” he said. “All this shows how ICSes are much more exposed to malefactors than the data in our report [suggest].”

Photo Credit: emredal85 via Compfight cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU