As in previous years, INCIBE-CERT continued to work on the early advisory services and advisories in cybersecurity.
Specifically, the ICS Advisories Section includes all advisories for industrial control systems, specific services which commenced two years ago.
This information, besides being available on the website and network accounts, can also be consulted by means of a newsletter which includes information regarding all the vulnerabilities affecting devices, software and other items of industrial manufacturers.
As well as this daily publication of the early advisory system and advisories for industrial control systems, INCIBE, through INCIBE-CERT, has continued to disseminate cybersecurity on the industrial control systems by publishing specific content on the blog and on various guides and studios.
The advisory service provided in 2017 reflects the main vulnerabilities affecting the industrial sector. The following are the results regarding the work developed throughout 2017:
-Number of advisories issued each month-
199 vulnerability alerts have been posted in relation to the industrial sector, more than the 146 ones in 2016, including devices, applications or communication elements within such environment.
Although people may think that there are less activity in companies and industrial manufacturers in summer, and this is why this season is the time when fewer notices are published due to summer holidays, this year, however, July was the month with the highest movement, although it was closely followed by May. The second half of the year included a few months with many security alerts, making this second half the most disturbed in terms of security alerts published.
Regarding the sectors involved, advisories published concerned almost all strategic sectors defined in the Act on Critical Infrastructure Protection (Law 8/2011), as shown in the following chart:
-Evolution of advisories by sector. The energy sector, just as in previous years, was the most affected sector-
Most of the alerts published affect multi-purpose devices and are used in several areas, which means that a single advisory can affect diverse areas. Therefore, products (devices and applications) corresponding to the "Other Industry" category are those most frequently affected by advisories; practically every month.
As explained in the Overview of the previous years, these data do not mean that the level of security in said sector, or in those other sectors more heavily affected such as the Energy sector, is lower, but are a consequence of them being large sectors including many different processes in which there are millions of devices in place as they are sectors with a higher technological development.
Nature of the Advisories
The following chart shows the evolution of data between 2016 (left) and 2017 (right). Data have been collected in the same way as in the previous years (so a single advisory may include information on more than a vulnerability).
- Nature of Vulnerabilities. It must be taken into account that a single alert may be related to several vulnerabilities -
Vulnerabilities related to the obtaining of information are once again the most prevalent ones, but it must be noted that there has been an increase in the number of advisories caused by vulnerabilities related to code execution and denial of service, which ranked second and third in this overview of 2017 from a lower position in 2016, being the privilege escalation vulnerabilities notably reduced. There is also an increase in the number of advisories related to the inclusion of files, doubling its incident rate as compared to the previous year.
According to the types of vulnerabilities with the highest increases, it is obvious that in 2017 researchers focused on the execution of code of devices and applications comprising control systems, trying to look for weaknesses in the security controls and memory management of the devices.
Inclusion of files is also a type of vulnerability that has become an important research focus when looking to ensure the integrity of the code that runs on the devices, since many were related to the change of a .dll system by another malicious item looking for a code execution not controlled by this way.
As was the case during the previous years, many advisories referred to vulnerabilities exploitable remotely. Therefore, and once again, it is necessary to raise awareness among companies regarding segmentation issues so that they protect their network perimeters and locate their network devices behind firewalls and/or in isolated networks whenever possible.
The list of manufacturers more closely related to advisories has slightly changed as compared to the previous year. The main leaders in industrial control system products are still those which are most exposed and, therefore, are those for which the highest number of advisories is related.
As the order of the first two positions has changed, placing Schneider Electric ahead of Siemens, Rockwell remains in the top positions. It is also worth mentioning the case of MOXA, which, although it only goes from third to fifth place, has reduced considerably its number of security advisories, from 15 to 6.
-Number of advisories issued by manufacturer-
Classification by criticality in 2017 is similar to that shown in the Overview of 2016; with the majority highly critical or critical, and the low criticality advisories having disappeared. This reminds us again that the protection of control systems must be reinforced, since vulnerabilities reported may involve major disruptions for the company as well as major consequences for the production process.
Evolution in 2018
Although it is always difficult to forecast the future, in the previous overviews we tried to do so and, as it seems that we were not completely misguided, we try it again for 2018. Among other affairs, we anticipated for 2017 that the number of advisories should continue to increase, as it has been; that the manufacturers were not going to change very much and the big manufacturers were going to remain at the top of the list. Regarding the sectors, we said that everyone would have to improve in order to match the efforts made by the Energy sector and achieve even figures between the diverse sectors, which is being done, but that should grow more.
For this 2018, the experience and intuition shows that everything should follow a similar trend. The publication of advisories may continue to grow but with a negligible volume, the distribution of criticalities will be equal, maintaining the percentage reduction of the most critical advisories, since the efforts being made by manufacturers will continue to be noticed.
Regarding manufacturers, the same approach will continue to be taken, although we still hope that other major manufacturers such as ABB and GE make greater efforts to publish more information on their problems and solutions.