The role of industrial control systems in power grids, power plants, water supply stations, oil and gas production, food and beverage manufacturing, and transportation systems is akin to that of a technological mule. What is often overlooked is that our society relies on these systems to ensure smooth operations.
However, a new research report released by FireEye indicates that organizations operating vulnerable industrial control systems may expose themselves to risks from external attackers or malicious insiders.

The title of the FireEye iSight Intelligence 2016 ICS Vulnerability Trend Report is “Overload: Key Lessons from 15 Years of Vulnerabilities in Industrial Control Systems.” This study compiled 1,552 vulnerabilities in industrial control systems and their corresponding exploits from January 2000 to April 2016. Below is a summary of key findings and recommendations.
Almost Every Industrial Control System Vendor is Affected by Vulnerabilities
A total of 123 vendors have been impacted by vulnerabilities in industrial control systems. These vulnerable systems may be in use within your organization’s industrial control system environment. The report suggests that owners and operators of industrial control systems may be overwhelmed by vendor notifications, assessments, and deployments.
The report warns: “The flood of vulnerabilities may overwhelm owners of industrial control system assets, making it difficult for them to keep up with vulnerability notifications, assess related risks, and deploy vulnerability defenses.”
Industrial Control System Vulnerabilities are Increasing
The report table below shows that 90% of the examined industrial control system vulnerabilities occurred between 2011 and 2015. FireEye believes that the Stuxnet virus was publicly disclosed in mid-2010, which may have triggered a heightened interest in discovering vulnerabilities and exploits in industrial control systems.

Additionally, there was a 49% increase in vulnerabilities between 2015 and 2015, but the report explains that considering the concentration of vulnerabilities in 2015 between OSISoft and Yokogawa, the previous average growth rate of 5% per year is more likely to be the trend moving forward.

Media outlets believe that FireEye’s forecast of a 5% growth in future industrial control system vulnerabilities is somewhat conservative. Specific industries, regulations, new cutting-edge technologies designed for industrial control system environments, and enhanced security assessments will help uncover more vulnerabilities and currently unknown intrusion activities. If these conditions materialize, the growth rate of industrial control system vulnerabilities in the coming years will exceed 5%.
No Patches Available at the Time of Public Disclosure
Among the 1,552 vulnerabilities studied by FireEye, 516 (33%) had no patches available at the time of public disclosure. This means that one-third of the vulnerabilities are zero-day vulnerabilities, and FireEye expects this trend to continue. Given the slow pace of patching and the absence of vendor patches, threat actors have ample opportunity to infiltrate industrial control system environments.
The Holy Grail for Industrial Control System Attackers: Unrestricted Access to Level 2
FireEye iSight Intelligence uses a simplified Purdue model to classify vulnerabilities in industrial control systems. This model categorizes systems, devices, and functions into specific levels. The findings indicate that since 2013, most vulnerabilities in industrial control systems have affected Level 2.

FireEye considers this level to be very attractive for targeted research and attacks because other information technologies running at this level, such as mainstream operating systems and databases, are already familiar to researchers. Additionally, these are relatively inexpensive components that are easy to obtain.
For industrial control system security experts, the most critical point in the report is that “once attackers have unrestricted access to Level 2, the importance of further intrusion and vulnerability discovery diminishes, as HMI and engineering workstations are hosted at Level 2.”
FireEye cites a detail from the Ukrainian power plant attack, indicating that attackers who can control the HMI can freely control switches and actuators without needing to exploit other vulnerabilities.

Moreover, unauthorized protocols may allow any connected computer to interact with control processes, such as when Modbus/TCP is in use, any device on the network may be allowed to change setpoints in the logic executed by the controller.
Summary and Guidance
This report is beneficial for industrial control engineers, designers, and power plant managers. Additionally, if IT security teams wish to assist in the operation of industrial control systems but need a better understanding of the challenges, vulnerabilities, and threats, this report will also provide guidance.
FireEye iSight Intelligence provides a short list for those looking to start identifying vulnerabilities in industrial control systems:
-
Understand Your Assets: Prepare your security team by accurately understanding the assets, locations, and functions of control systems. Ensure your estimates of asset inventory are precise;
-
Industrial Control System Threat Intelligence: Obtain structured vulnerability and patch subscriptions from a variety of sources;
-
Track Vulnerabilities Based on Assets: Correlate vulnerability disclosures and patch releases with your asset inventory;
-
Track Vulnerable, Unpatched Products: Understand the legacy and classic devices you are currently using in the industrial environment. There are technologies that can provide defenses for industrial control systems that cannot be patched;
-
Prioritize Vulnerability Remediation: Prioritize vulnerability remediation by considering the location of the industrial control system architecture, the ease of intrusion, and the impact on the controlled industrial processes.
---
WeChat Latest Version, long press the public account to “Pin”
