Report a Grim Reminder of State of Critical Infrastructure Security

Government ICS report reveals access control a major issue for sector along with nagging issues around poor code quality and cryptography.

U.S. critical infrastructure got another reminder this week that it needs to do more to protect itself from cyber attacks with the release of an annual government report.

The NCCIC/ICS-CERT FY 2015 Annual Vulnerability Coordination Report points out that nagging issues continue to plague industrial control systems (ICS) and SCADA systems, notably a dearth of access controls limiting unauthorized access, poor software code quality, and the weakening, or absence of, crypotographic security when it comes to the protection of data and network communications.

The report, released by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), represents trend data culled by private and public industrial control firms for 2015. Topping the list of industries with the most reported vulnerabilities are energy, critical manufacturing, water and wastewater systems, and food and agriculture.

“What this report reveals is we are still grappling with the same systemic problems that have plagued industrial control systems for the past 20 to 30 years,” said Justin Harvey, head of security strategy with network security vendor Gigamon. “We can’t afford to take the same business-as-usual approach to solving industrial control security issues.”

According to ICS-CERT, 52 percent of vulnerabilities reported in 2015 trace back to improper input validation and poor access controls. While the report prioritizes the gap, experts said the trend may simply reflect the types of vulnerabilities targeted by researchers disclosing vulnerabilities to the agency in 2015.

Chris Eng, VP of research at Veracode, said access controls also present a challenge to other sectors. “We see similar rates – if not higher – outside of the industrial control sector. A lot of these problems are tied to the fact these systems used by industrial control systems date back to even before programmers were thinking about incorporating security into software.”

More alarming to some experts is ICS-CERT data that shows a troubling trend when it comes to an uptick in reported cryptographic vulnerabilities when comparing 2015 data compared to past reports. The number of industrial control systems “missing encryption of sensitive data” jumped from 3 percent for years 2010-2014, to 14 percent in 2015. According to the report, from 2010 to 2014, seven percent of industrial control systems had inadequate encryption strength compared to 25 percent in 2015.

Alex Rothacker, security research director of the SpiderLabs Team at Trustwave, said lingering issues from Heartbleed, POODLE and other vulnerabilities in crypto libraries could be popping up in ICS. “This increase probably indicates the use of these libraries in ICS systems,” he said.

According to ICS-CERT, cryptographic problems faced by private and public ICS operators trace back to a larger issue identified as “poor code quality vulnerabilities.” According to the report, half of ICS vulnerabilities are due to poor code quality.

“Poor code quality in software across the industry has also created many heartaches for enterprises using these products,” said Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures and former director of US-CERT. “There’s a whole movement to create software assurance and teach better coding practices to focus on this underlying problem that continues to get easily exploited by adversaries.”

The report highlighted several other trends including an increase in overall reported vulnerabilities between 2010 and 2015, a shortening the length of time ICS-CERT tickets are resolved, and a drop in the severity of reported vulnerabilities. Researchers interviewed cautioned that the ICS-CERT report’s small sample-size of vulnerabilities makes it is difficult to draw hard conclusions. In 2015, ICS-CERT received 427 vulnerability reports and produced 197 advisories. Vulnerabilities were reported by industrial control systems stakeholders ranging from federal, state, local governments, as well as private sector owners, operators and vendors.

Suggested articles