Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities Continue to Plague Industrial Control Systems

The DHS ICS-CERT issued three security advisories on industrial control systems (ICS) this week, again showing that critical infrastructure and industrial networks continue to face serious issues.

The DHS ICS-CERT issued three security advisories on industrial control systems (ICS) this week, again showing that critical infrastructure and industrial networks continue to face serious issues.

In a recent blog post summarizing the current ICS threat landscape, Fortinet’s Ruchna Nigam highlights one important thing: “Most industrial control systems come from very different vendors and run proprietary operating systems, applications, and protocols (GE, Rockwell, DNP3, Modbus). As a result, host-based security developed for IT is generally not available for ICS.”

Industrial Cyber Security

This in turn makes ICS even more vulnerable and dependent on vendor-provided fixes to researcher-found vulnerabilities. The three new advisories all reference vulnerabilities originally found and reported by independents – in all cases, however, those researchers do not appear to have been given the opportunity to verify the fixes.

Ivan Sanchez, who found a recent Rockwell IAB vulnerability is surprised at this. He is constantly looking for, and continuously finding, new ICS vulnerabilities. Last year he reported more than 150 high risk issues to Rockwell alone. Usually when he reports an issue he is consulted over the fix.

“In 95% of cases I am asked to retest the application before the advisory is published,” Sanchez told SecurityWeek. “I think these companies should ask me for the rest of the vulnerabilities [I’ve found] rather than just say ‘thanks’ for this one.”

Advisory ICSA-16-056-01 describes an access violation memory error in Rockwell Automation’s Integrated Architecture Builder (IAB) application. If successfully exploited it would allow an attacker to execute malicious code with the same privilege level as the IAB tool. It could only be exploited by a local user, and has now been fixed. Until the latest version can be installed, users are advised to avoid opening any untrusted project files with IAB.exe; and run all software as ‘user’ and not as ‘administrator.’

Advisory ICSA-16-061-03 describes a cookie-based vulnerability that allows a remote attacker to configure Eaton Lighting Systems via the EG2 Web Control. Eaton has fixed the vulnerability but is in the process of replacing the entire system.

Advisory ICSA-16-096-01 describes four vulnerabilities in Pro-face’s GP-Pro EX HMI software: one information disclosure, two buffer overflows and hard-coded credentials. All four have been fixed.

Empirical evidence like this suggests that ICS security is a much bigger problem than is implied by the Fortinet blog.

Indeed, Ivan Sanchez told SecurityWeek, “The ICS industries have to improve their code and insert security and audit controls. I have reported 30% of the issues I’ve found, and the industry hasn’t had time to fix all of these – so I would say we have a big problem.”

Despite this, everyone knows there is a problem – but for the moment it is largely a potential problem.

Patrick Coyle, author of Chemical Facility Security News, explains. “On one hand there are so many vulnerabilities in almost any control system that you would care to mention that just about anybody could hack into a control system. On the other hand the systems that these ICS control are so complex that to do something that looks like an effective attack takes a great deal of system (as opposed to ICS) expertise.”

He expects attacks to increase, but more in quantity than in quality. “I think we are going to start to see more of the ineffective attacks on ICS like that water system hack reported by Verizon; random changes to valve settings that upset things, but that are caught and corrected by safety systems or alert operators.” The danger is that something serious will happen as much by accident as intent.

But he warns, “My biggest fear right now is that someone will put a critical infrastructure on lockdown with ransomware. That does not take any great process knowledge; just access to the system.”

Related: Learn More a the 2016 ICS Cyber Security Conference

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...