Critical infrastructure vulnerabilities surging

By Dylan Bushell-Embling
Monday, 08 August, 2016

There has been a stark increase in vulnerabilities in the critical systems that form the backbone of electric grids, water supplies and production lines in the past six years, research from FireEye shows.

FireEye’s iSIGHT Intelligence has identified nearly 1600 publicly disclosed vulnerabilities in industrial control systems (ICS) since 2000, the company said in a new report.

Some 90% of these were disclosed after 2010, the year that the existence of Stuxnet — the first publicly recognised attack to exploit ICS vulnerabilities — was revealed in the media.

Such vulnerabilities can affect the operation of the equipment used to automate and monitor the processes that keep modern civilisation running. Since 2009 alone, nation state cyber crime groups have exploited five of these vulnerabilities in attacks, the report states.

But the security personnel from industries making use of ICS are often unaware of these vulnerabilities and are therefore leaving critical equipment exposed.

A full third of the vulnerability disclosures examined have no vendor fixes available, and patches that do get issued are often slow to be applied, making ICS a fertile ground for potential attackers.

Around half of vulnerabilities affect “level 2” systems, which give attackers control of devices that directly control connected processes. As seen in attacks on Ukrainian power companies in 2014, attackers gaining access at this level can perform functions including opening and closing switches at will.

This leaves open the potential for devastating cyber attacks that could cripple power grids and other essential infrastructure.

FireEye predicts that the rate of ICS-specific vulnerability disclosures will grow by 5% annually over the next several years.

“The flood of vulnerabilities is likely to overwhelm ICS asset owners as they struggle to keep up with vulnerability notifications, assess associated risk, and implement mitigation,” the report states.

“To ensure effectiveness and efficiency in dealing with ICS vulnerabilities, FireEye recommends that ICS asset owners prepare their security teams with an accurate understanding of control system assets, their locations, and functions.”

Image courtesy of kishjar? under CC