Home Security Industrial control vulnerabilities in 2017

Dragos tracks industrial control system vulnerabilities and the vendor responses to them. Things are not pretty!

According to the Dragos report “Industrial Control Vulnerabilities: 2017 in Review”, 163 vulnerabilities were identified in 2017, “Of these, the majority were vulnerabilities in insecure-by-design products which are typically deep within an ICS network,” the report says.

Further, according to Reid Wightman, senior vulnerability analyst, it was found that “public reports failed to adequately define the industrial impact of vulnerabilities. Coupled with the fact that most public vulnerability disclosures provide no alternative guidance beyond, patch, or use secure networks.”

An industrial control system is the set of devices and software that might be used to control any industrial process, from a water purification plant, through a mine processing plant to food manufacture and even a nuclear power plant. As well as sensors and actuators at the plant floor, there would be programmable logic controllers to electrically operate the plant as well as SCADA (supervisory control and data acquisition) computers for plant operators to view and manage the work of the plant.

The report also provides some insight into the overall effectiveness and impact of these issues.  Of the 163 issues found in 2017:

• Sixty-four percent of vulnerability patches don't fully eliminate the risk because the components were insecure by design.
• Eighty-five percent of vulnerabilities apply late in the kill chain and are not useful to gaining an initial foothold. If these vulnerabilities are exploited, it is likely the adversary has been active in the network for some time and already pivoted through various other systems.
• Seventy-two percent of advisories provide no alternative mitigation guidance outside of patching, suggesting no method to reduce risk until after an update cycle.
• Sixty-three percent of vulnerabilities were found to affect either ICS hardware or software with no publicly available version (e.g., free, demo).
• Seventy-one percent caused loss of view, 63% caused loss of control and 61% caused both.

As part of their report, Dragos offered three broad recommendations.

Most ICS vulnerability assessments and impact analyses are overly broad and generally inadequate for asset owners to take any meaningful guidance.  Dragos recommends that "vulnerability advisories must provide reasonable effective alternative options. Offer several alternatives which may not be applicable to all users but help some. This advice should include specific ports and services to restrict or monitor to reduce risk and impact from an attack, or specific system hardening recommendations to better defend systems from local exploitation".

Further, it says that "traditional IT impact assessments are insufficient for ICS/OT environmental risk analysis. Advisories should adopt ICS-specific metrics to better inform users of operational risks".

As always, patching is fraught in the ICS environment. Dragos observed that “major vendors have released patch-sets that triggered failures in end user systems". Further, it said: “Patches are rarely applied quickly in ICS environments due to concern that the patch may cause an operations outage. Recent patch failures are reinforcing this argument.”

To counter this, the company recommends: "The first step to starting a patch management program must be developing a ‘test’ or ‘development’ control systems network which contains samples of the actual plant’s critical systems. This allows for proper testing of patches, and minimises the risk of outage of any critical plant systems."

Dragos’ report along with a couple of more detailed ones may be found here.


Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Popular News




Guest Opinion


Sponsored News