Security Experts:

One-Third of ICS Flaws Are Zero-Days When Disclosed: Report

More than 1,500 vulnerabilities specific to industrial control systems (ICS) have been disclosed in the past 15 years and many of them did not have vendor patches when their existence was made public, according to a new report from FireEye.

Since 2000, the security firm has documented 1,552 ICS-related flaws affecting the products of 123 vendors. However, the number of disclosed security bugs was almost insignificant until 2010, when the world learned about Stuxnet, the notorious worm that targeted Iranian nuclear facilities.

This is consistent with a study conducted last year by threat intelligence firm Recorded Future, which also found that vulnerability disclosures increased significantly following the Stuxnet incident.

Between January 2000 and December 2010, FireEye counted only 149 vulnerabilities, but the number increased by 300 percent the next year. Until 2014, the average number of ICS flaws increased by five percent year by year, and a spike was recorded in 2015 due to 92 issues disclosed simultaneously by two vendors. FireEye expects disclosure rates to continue to rise in the coming years at an average of five percent, with occasional drops and spikes.

Of the 801 vulnerabilities disclosed between February 2013 and April 2016, roughly half affected products at the second level of the Purdue ICS architectural model. Level 2 systems allow a human operator to supervise and control physical processes (i.e. SCADA systems). Experts believe the high number of flaws found at this level can be attributed to the fact that researchers are more familiar with the equipment and technologies, which are also more easy to obtain and inexpensive.

FireEye pointed out that access to level 2 systems can allow a threat actor to manipulate processes, which can have serious consequences.

Of the nearly 1,600 flaws documented by the security firm, 33 percent were zero-days at the time of disclosure. Of the roughly 400 issues found last year, more than 100 were unpatched when they were made public. Experts believe this trend is also likely to persist.

While the number of ICS vulnerabilities is on the rise, there are only five flaws known to be exploited in the wild: two of them leveraged in the Stuxnet attacks, two used last year by a Russia-linked threat actor in the operation targeting Ukraine’s energy sector, and one exploited by the same group in 2012 against various organizations.

A report published last month by Kaspersky Lab showed that a total of more than 220,000 ICS components had been reachable from the Internet, with nearly one-third of them located in the United States.

The latest FireEye report, titled “Overload: Critical Lessons from 15 Years of ICS Vulnerabilities,” is available for download in PDF format.

Related: Siemens Patches Flaws in Industrial Automation Products

Related: Learn More at the ICS Cyber Security Conference

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.