Connect with us

Hi, what are you looking for?



Vulnerabilities Continue to Plague Industrial Control Systems

The DHS ICS-CERT issued three security advisories on industrial control systems (ICS) this week, again showing that critical infrastructure and industrial networks continue to face serious issues.

The DHS ICS-CERT issued three security advisories on industrial control systems (ICS) this week, again showing that critical infrastructure and industrial networks continue to face serious issues.

In a recent blog post summarizing the current ICS threat landscape, Fortinet’s Ruchna Nigam highlights one important thing: “Most industrial control systems come from very different vendors and run proprietary operating systems, applications, and protocols (GE, Rockwell, DNP3, Modbus). As a result, host-based security developed for IT is generally not available for ICS.”

Industrial Cyber Security

This in turn makes ICS even more vulnerable and dependent on vendor-provided fixes to researcher-found vulnerabilities. The three new advisories all reference vulnerabilities originally found and reported by independents – in all cases, however, those researchers do not appear to have been given the opportunity to verify the fixes.

Ivan Sanchez, who found a recent Rockwell IAB vulnerability is surprised at this. He is constantly looking for, and continuously finding, new ICS vulnerabilities. Last year he reported more than 150 high risk issues to Rockwell alone. Usually when he reports an issue he is consulted over the fix.

“In 95% of cases I am asked to retest the application before the advisory is published,” Sanchez told SecurityWeek. “I think these companies should ask me for the rest of the vulnerabilities [I’ve found] rather than just say ‘thanks’ for this one.”

Advisory ICSA-16-056-01 describes an access violation memory error in Rockwell Automation’s Integrated Architecture Builder (IAB) application. If successfully exploited it would allow an attacker to execute malicious code with the same privilege level as the IAB tool. It could only be exploited by a local user, and has now been fixed. Until the latest version can be installed, users are advised to avoid opening any untrusted project files with IAB.exe; and run all software as ‘user’ and not as ‘administrator.’

Advisory ICSA-16-061-03 describes a cookie-based vulnerability that allows a remote attacker to configure Eaton Lighting Systems via the EG2 Web Control. Eaton has fixed the vulnerability but is in the process of replacing the entire system.

Advisory ICSA-16-096-01 describes four vulnerabilities in Pro-face’s GP-Pro EX HMI software: one information disclosure, two buffer overflows and hard-coded credentials. All four have been fixed.

Empirical evidence like this suggests that ICS security is a much bigger problem than is implied by the Fortinet blog.

Advertisement. Scroll to continue reading.

Indeed, Ivan Sanchez told SecurityWeek, “The ICS industries have to improve their code and insert security and audit controls. I have reported 30% of the issues I’ve found, and the industry hasn’t had time to fix all of these – so I would say we have a big problem.”

Despite this, everyone knows there is a problem – but for the moment it is largely a potential problem.

Patrick Coyle, author of Chemical Facility Security News, explains. “On one hand there are so many vulnerabilities in almost any control system that you would care to mention that just about anybody could hack into a control system. On the other hand the systems that these ICS control are so complex that to do something that looks like an effective attack takes a great deal of system (as opposed to ICS) expertise.”

He expects attacks to increase, but more in quantity than in quality. “I think we are going to start to see more of the ineffective attacks on ICS like that water system hack reported by Verizon; random changes to valve settings that upset things, but that are caught and corrected by safety systems or alert operators.” The danger is that something serious will happen as much by accident as intent.

But he warns, “My biggest fear right now is that someone will put a critical infrastructure on lockdown with ransomware. That does not take any great process knowledge; just access to the system.”

Related: Learn More a the 2016 ICS Cyber Security Conference

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights