THREAT INTELLIGENCE REPORT

Up and to the Right ICS/SCADA Vulnerabilities by the Numbers

Summary

›› Capabilities for attacks on ICS/SCADA1 systems (collectively referred to as ICS below) are growing. The number of publicly disclosed vulnerabilities and off-the-shelf exploits targeting ICS systems continues to grow over time and well into 2015, even as awareness of dangers for critical infrastructure is improving. ›› Vulnerability patterns are improving for some vendors but not for others. Our assumption is that investments in application and control logic security along with active threat intelligence efforts, are paying dividends for some vendors. ›› Siemens and Schneider, the largest and fourth largest industrial automation vendors2, account for the largest number of reported vulnerabilities, with close to 50% of the total. Of note, Siemens PLC product was the target of STUXNET, the predominant example of ICS/SCADA attacks. ›› The combination of continued growth in ICS vulnerabilities along with off-the shelf exploits targeting these as well as credentials for critical infrastructure companies being routinely accessible in public forums leaves critical infrastructure open to potentially more aggressive motivations. Historically few cyber attacks on ICS have been observed; STUXNET continues to be the predominant example. Recently we’ve seen novel patterns of attacks that are destructive and extortionist in nature – such as the Sony attack, bank extortion by the Rex Mundi hacker group, and the more prevalent Cryptolocker strain of malware. Destructive/extortionist attacks on ICS are a potentially logical continuation, if yet observed in the wild.

Introduction

The capabilities for ICS attacks are growing and actual ICS probes and attacks are growing as well. Dell SecureWorks states in their 2015 Annual Threat Report, “In 2014, Dell saw a 2X increase in SCADA attacks compared with 2013.” Further, in terms of motivations, Dell states, “SCADA attacks tend to be political in nature, since they target operational capabilities within power plants, factories, and refineries, rather than credit card information.” DigitalBond introduces some alternative motivations in their blog Monetizing SCADA Attacks.

Trend Micro very nicely lays out results of honeypots designed to catch ICS attacks in their report The SCADA That Didn’t Cry Wolf.

To study risks to ICS infrastructure we analyze a few datasets – including the NIST Vulnerability database as well as the Recorded Future Web intelligence holdings, which includes data from the open, deep, and dark Web.

The totality of the NIST Vulnerability database at the time of this analysis included over 71,500 vulnerabilities across many types of software systems. We used a series of search criteria to identify a subset of ICS vulnerabilities (such as “SCADA”, “ICS”, “PLC”, as well as a series of key vendor names, but then filtering out non-SCADA records – for example, PLC is an overloaded term and some vendors are in multiple industries). Our result set was about 400 records in size.

1 Industrial Control Systems / Supervisory Control and Data Acquisition 2 “BofA Merrill Lynch Global Research”. Date 16 May 2014

Recorded Future Special Intelligence Desk Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

The Recorded Future universe includes a large collection of exploits – which includes exploits being available for sale in dark forums or from more legitimate vendors, proofs of concept from white hat security researchers, etc.

Finally, Recorded Future has observed large amounts of stolen credentials from companies and government organizations, collected from paste sites and forums. These stolen credentials many times originate from attacks on third-party sites (charity sites, sports sites, political sites, etc.) where employees have re-used their credential from their employers – and this is also true for critical infrastructure companies. A previously published Recorded Future report highlighted that for critical infrastructure companies in the Fortune 500, 19 major public utilities and 15 energy companies had leaked credentials. Similarly for the FT Europe 500, 17 chemical companies, 17 industrial engineering, and 12 oil and gas companies had leaked credentials.

Opportunities and Capabilities

The first step in our analysis is to understand the available and known capabilities for attacks on ICS systems – which we will do through analysis of the NIST database and the Recorded Future holdings (of course it should be noted that the most well known SCADA attack, STUXNET, heavily relied on new/previously unknown vulnerabilities and exploits).

The InfoSec Institute in their report from 2013 states:

“Contrary to what a user can believe, to attack a SCADA system is not so hard. There are many techniques that could be adopted to compromise a control system. In several instances, the absence of defense systems, improper configurations, zero-day vulnerabilities and superficial patch management processes give an advantage to the attacker.”

PJ DeSantis of the NSA states in his article, Cyber-Mugging: Summary and Analysis of a Simulated ICS/SCADA Attack:

“It is safe to assert that the absence of significant destructive cyber attacks targeting ICS is in no way a result of common ICS security practices. However, there is a debate as to just how low the bar is with regard to attacker skill level and resource requirements needed to execute destructive cyber attacks against ICS.”

Vulnerabilities in ICS systems

The NIST CVE database at the time of this report contained over 71,500 vulnerabilities. We selected a subset of these and grouped them by main vendors, as in Figure 1 below. This is the full set of vulnerabilities (per our definition), which yields 408 CVEs over time. We observe Siemens and Schneider Electric standing out – in fact they together represent 50% of the dataset. Of course, this is partially because they are large companies with large market share – which immediately yields a high degree of visibility from researchers discovering vulnerabilities – but equally important, these are prominent systems in installations around the world and hence even more important for them to maintain a safe security posture.

Recorded Future Special Intelligence Desk 2 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Figure 1: ICS vulnerabilities by vendor.

Next we explore these vulnerabilities over time and we can see how after a sharp jump in 2011 (post STUXNET), vulnerability disclosures continue at this new, higher, level.

Figure 2: Total number of ICS vulnerability disclosures over time.

Recorded Future Special Intelligence Desk 3 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Breaking down this trend by vendor, as in Figure 3 below, is where it gets interesting. We can now observe very different patterns. We observe how the number of vulnerabilities for Schneider Electric and Siemens continue at a high level, including into 2015 (remember that at the time of this analysis we’re just about halfway into 2015). On the other hand we observe how vulnerabilities for ABB, General Electric, and others are shrinking.

There can be many historical reasons for large numbers of vulnerabilities existing in large installed bases – they are likely older products with lots of information security researchers’ eyes on them. That said, it is our belief that the most important point below is the trend by vendor, as it likely reflects active information security efforts by vendors – or the lack thereof. We can likely compare this to identifying a “Microsoft security moment” – say when Microsoft was hit by the Code Red worm in 2001 and subsequently introduced Patch Tuesday in 2003, or when Android manufacturers committed to monthly patches.

Figure 3: Total number of ICS vulnerabilities over time, by vendor.

Breaking down these vulnerabilities not only by vendor but also by product yields a focused set of products for these vulnerabilities, including Siemens SIMATIC, Siemens WinCC, Advantech Broadwin, Schneider WonderWare, and GE Proficy.

Figure 4: ICS vulnerabilities broken down by vendor and product.

Recorded Future Special Intelligence Desk 4 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Exploiting Vulnerabilities

A sophisticated attacker, for example a nation state, might well have access to completely novel vulnerabilities and exploits (e.g., STUXNET zero days). However, if we believe that both destructive attackers as well as those seeking ransom might be on the horizon, already known vulnerabilities and exploits may very well effectively be put to use.

Analyzing the Recorded Future holdings, we quickly identify a worrying trend of ICS exploits available for the vendors described above. These exploits include those published by white hat researchers (perhaps as a Metasploit project), vendors of more or less legitimate exploit kits, etc. As can be observed in the histogram below, the number of exploits is continuing to grow, and not letting up in 2015. If the number of exploits reported continues at the same rate, we might see continued growth.

Figure 5: ICS exploits growing over time, with 2015 likely growing to largest number so far.

The sourcing of these exploits in the Recorded Future holdings comes from a series of Web intelligence sources, as can be observed below.

Recorded Future Special Intelligence Desk 5 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Breaking down these exploits by vendor and product yields us with few products in focus, as observed in Figure 6 below. The Shodan search engine will very efficiently find us installations of systems matching these exploits.

Figure 6: Totality of ICS exploits broken down by vendors and products.

One interesting observation is that of the many underground/criminal exploit kits Recorded Future tracks, none offer ICS exploits. The exploit kits include attacks on popular desktop software, Web infrastructure, and financial infrastructure, but so far, no ICS vulnerabilities. Companies like Gleg do offer commercial exploit kits for ICS. That said, many of the attack vectors of current exploit kits can be used for initial attacks and probes into ICS systems, since ICS systems many times are intertwined with regular business/Internet systems.

Exploit Origination

Finally we break down the origination of PoCs/exploits by country - Figure 7 below. We associate countries by the residence of the researchers and companies/organizations. This yields some interesting results. Malta stands out – but this is all because of the company REVULN and the prominent researcher Luigi Auriemma. The United States, unsurprisingly, is the origin of many exploits, but so is Argentina – and a lot of that comes back to PoCs originating from Core Security and Rapid7. Russia, Spain, Turkey, Italy, and Brazil also stand out.

The key point though is that ICS exploit/PoC development is likely a very limited domain and a few researchers dominate the field, at least to the extent of published research. Obviously there are likely exploits being researched and developed in intelligence agencies in multiple countries. In Figure 7 below we carve out for rumored attribution of exploits around STUXNET.

Recorded Future Special Intelligence Desk 6 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Figure 7: ICS security researchers by country.

From Vulnerability to Exploit to Action

Tying this together we can connect the dots from vulnerabilities to exploits to identifying actual potentially exploitable systems and installations. Using Recorded Future we identify a timeline of Siemens SIMATIC vulnerabilities and focus in on a single one: CVE-2015-2177.

Figure 8: Timeline of Siemens SIMATIC vulnerabilities.

Recorded Future Special Intelligence Desk 7 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

We can then easily identify exploits related to this CVE in Recorded Future, seen below.

Figure 9: Recorded Future of exploits for CVE 2015-2177.

Finally, we can easily use Shodan to identify installations of Siemens SIMATIC, and as in Figure 10 below, connect the dots from vulnerability to exploit to potential targets.

Figure 10: Connecting the dots from vulnerability advisory to exploit to identifying actual Siemens SIMATIC installations in Shodan.

Recorded Future Special Intelligence Desk 8 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Motivations

Historically few significant ICS attacks have been publicly disclosed/reported (beyond honeypots) – what PJ DeSantis refers to as the absence of significant destructive cyber attacks targeting ICS. Trend Micro lists a few in their report and similar short lists can be found elsewhere. The STUXNET attack on Iranian nuclear infrastructure is still unattributed beyond rumors, and only a few other attacks have been disclosed – including an example of a German steel mill being targeted, as reported by the German Federal Office for Information Security:

Breakdowns of individual control components or entire installations proliferated. The breakdowns led to the uncontrolled shutdown of a blast furnace, leaving it in an undefined state and resulting in massive damage.

This lack of actual attacks compared to the level of fear and paranoia probably makes sense since state-backed attacks on critical infrastructure are perceived to be close to war, and the actual motivations for attackers such as criminal gangs and hacktivists have been perceived as low. Criminal actors are motivated by financial gains and have historically been focused on financial infrastructure – there has been little potential for financial gains in ICS attacks.

Likewise, hacktivists have many motivations, primarily furthering their political agenda and accordingly focused on media companies. Even when their political agenda is aligned against companies with large ICS infrastructures (e.g., energy, chemical, or pharmaceutical companies) it would likely not further agendas of hacktivists to create general destruction. There have been warnings that hacktivists and the like might target industrial control systems.

Finally, terrorists have not been performing cyber attacks beyond simple Web and social media defacement even though there are rumors such as the Shamoon attack being a maskirovka to allow for a physical attack. Terrorists would likely be motivated to use ICS attacks if they developed the capability to deploy such attacks.

Recently we have observed novel patterns of attacks that are destructive and extortionist in nature – such as the Sands attack, Sony attack, bank extortion by groups like Rex Mundi, DDB4C threatening Bitcoin exchanges with DDoS attacks unless they pay protection money, and the more prevalent Cryptolocker strain of malware. It is likely too early to claim a change in cyber attack behavior – but this is something new that is unlikely to stay within the domains we’ve seen so far – and ICS is a perfect place to take this behavior.

One potential motivation for attackers is the length and duration of damage vectors in ICS environments. While IT cyber attacks are akin to a match, once used quickly defended against, ICS systems retain vulnerabilities longer due to limited patch capabilities. In addition, ICS attacks can damage physical equipment connected to the PLC – transformers, pumps, engines etc. – and damage mitigation includes a slow replacement cycle.

Looking at the existing wealth of potential ICS attacks, we can only surmise that the dearth of actual devastating attacks is due to restraint by attackers that prefer to save their capabilities for using and burning them piecemeal.

Recorded Future Special Intelligence Desk 9 Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers

Conclusions

In this report we demonstrate how capabilities for attacks on ICS/SCADA systems are growing. The number of publicly disclosed vulnerabilities and off-the-shelf exploits targeting ICS systems continue to grow over time and well into 2015. Some vendors are improving, but others are not.

The combination of continued growth in ICS vulnerabilities along with off-the shelf exploits targeting these, as well as credentials for critical infrastructure companies being routinely accessible in public forums, leaves critical infrastructure open to potentially more aggressive motivations.

Recent patterns of attacks that are destructive and extortionist in nature, such as the Sony attack, bank extortion by the Rex Mundi hacker group, and the more prevalent Cryptolocker strain of malware, are disturbing examples. Destructive/extortionist attacks on ICS are a potentially logical continuation, even though not yet observed in the wild.

There is much work to do for the security community in the area of industrial control systems.

About Recorded Future

We arm you with real-time threat intelligence so you can proactively defend your organization against cyber attacks. With billions of indexed facts, and more added every day, our patented Web Intelligence Engine continuously analyzes the entire Web to give you unmatched insight into emerging threats. Recorded Future helps protect four of the top five companies in the world.

Recorded Future, 363 Highland Avenue, Somerville, MA 02144 USA | © Recorded Future, Inc. All rights reserved. All trademarks remain property of their respective owners. | 9/15

REQUEST A DEMO @RecordedFuture | www.recordedfuture.com