----- ### CONTENTS Introduction..........................................................................................................................................................................................3 Abbreviations used..........................................................................................................................................................................3 Vulnerabilities in ICS components..........................................................................................................................................4 Internet accessibility of ICS components...........................................................................................................................7 Conclusion..........................................................................................................................................................................................12 ----- ### INTRODUCTION Manufacturing facilities and critical infrastructure, such as energy and transportation, have fallen victim to more and more cyberattacks in recent years. Loss of USD $300 million by shipping giant Maersk,[1] interruptions in production at Renault and Nissan plants,[2] and a ransomware attack on the San Francisco public transit system[3] are only a few recent examples that have made headlines. Securing industrial control systems (ICS) is a critical factor in ensuring the overall information security of critical facilities and infrastructure. Many efforts have been made to promote ICS security: governments are developing regulatory frameworks, computer emergency response teams (CERT) are issuing bulletins, and ICS vendors are gaining awareness that vulnerabilities in their products can cause loss of lucrative contracts[4] and even lives. Despite these efforts—and in the face of mounting incident costs and concern—security at most industrial facilities has shown minimal improvement since the Stuxnet attacks of 2010, as illustrated in this report. The problem is worsened by the tendency to connect ICS equipment to the Internet, which is likely to intensify with the advent of the Fourth Industrial Revolution. Such connections set the stage for attacks by hackers from anywhere in the world, even without direct physical access to target equipment. Nowadays, almost any advanced Internet user can look up the IP addresses of network equipment used on ICS networks (such as switches, interface converters, and gateways) with the help of publicly available search engines. When this equipment is hacked, building systems and operations are at high risk. In 2017, we found that vulnerabilities in such equipment are becoming an increasingly common occurrence.[5] This report, our fourth on the subject, describes findings by Positive Technologies regarding vulnerabilities in ICS components and their prevalence on Internet-connected systems, and how this situation has evolved over recent years. ### ABBREVIATIONS USED **DCS—distributed control systems** **HMI—human–machine interface** **ICS—industrial control system** **LAN—local area network** **PLC—programmable logic controller** **RAP—remote access point** **RTU—remote terminal unit** **SCADA—supervisory control and data acquisition** [1 bloomberg.com/news/articles/2017-08-16/maersk-misses-estimates-as-cyberattack-set-to-hurt-third-quarter](https://www.bloomberg.com/news/articles/2017-08-16/maersk-misses-estimates-as-cyberattack-set-to-hurt-third-quarter) [2 businessinsider.com/renault-nissan-production-halt-wannacry-ransomeware-attack-2017-5](http://www.businessinsider.com/renault-nissan-production-halt-wannacry-ransomeware-attack-2017-5) [3 theguardian.com/technology/2016/nov/28/passengers-free-ride-san-francisco-muni-ransomeware](https://www.theguardian.com/technology/2016/nov/28/passengers-free-ride-san-francisco-muni-ransomeware) 4 In December 2017, oil transporter Transneft announced that it would cease use of Schneider Electric equipment due to multiple vulnerabilities jeopardizing the company’s cybersecurity 5 Examples of attacks leveraging network equipment will be described in a separate report, which will be released at a later date [on ptsecurity.com](http://www.ptsecurity.com) ----- ### VULNERABILITIES IN ICS COMPONENTS #### Research methodology Information was drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, exploit databases and packs, research papers, and posts on security websites and blogs.[6] The following vulnerability knowledge bases were used: **+** [ICS-CERT (ics-cert.us-cert.gov)](http://ics-cert.us-cert.gov) **+** [NVD (nvd.nist.gov), CVE (cve.mitre.org)](http://nvd.nist.gov) **+** [Positive Research Center (securitylab.ru/lab)](http://securitylab.ru/lab) **+** Schneider Electric Cybersecurity Support Portal[7] **+** [Siemens Product CERT (siemens.com/cert)](http://siemens.com/cert) The severity of vulnerabilities in ICS components was assessed based on the Common Vulnerability [Scoring System (CVSS) version 3 (first.org/cvss).](http://first.org/cvss) Our assessment of disclosed vulnerabilities did not attempt to cover every single vendor of industrial automation equipment, instead focusing on larger and more prominent companies. #### Trends The number of new vulnerabilities disclosed in 2017 increased compared to the prior year. As of publication of this report, information about 197 vulnerabilities of major manufacturers had been published. However, this number could still increase due to responsible disclosure policies, since vulnerabilities often are not published until after they have been fixed. For example, 30 vulnerabilities in Moxa equipment were detected in 2016 but disclosed only in 2017. 2017 197 2016 115 2015 212 2014 181 2013 158 0 25 50 75 100 125 150 175 200 225 Number of new vulnerabilities found in ICS components #### Vulnerabilities by vendor The top spots saw a reversal of positions. The previous leader, Siemens, yielded first place to Schneider Electric, whose 47 component vulnerabilities disclosed in 2017 exceeded the company’s total for 2016 (5) by almost ten times. Also notable is the increased number of security flaws in Moxa industrial network equipment, with twice as many (36) as in the previous year (18). [6 digitalbond.com, scadahacker.com, immunityinc.com/products/canvas, exploit-db.com, rapid7.com/db](http://digitalbond.com) [7 schneider-electric.com/b2b/en/support/cybersecurity/report-an-incident.jsp](http://schneider-electric.com/b2b/en/support/cybersecurity/report-an-incident.jsp) ----- 47 Moxa 36 Siemens 32 Advantech 17 SMA 14 Rockwell Automation 11 Honeywell 8 Phoenix Contact 4 Hirschmann (Belden) 4 ABB 4 SpiderControl 3 Westermo 3 Other 14 0 10 20 30 40 50 Number of vulnerabilities disclosed in 2017 by major ICS vendors #### Vulnerabilities by component type The core trend we see is the growing number of new vulnerabilities in industrial network equipment. Security flaws were detected in Moxa (36), Hirschmann (4), and Phoenix Contact (4) products. While the number of vulnerabilities in network equipment disclosed in 2016 was a third less than in SCADA/HMI/DCS devices,[8] the subsequent 12 months narrowed that gap. 8% 31% 14% SCADA/HMI/DCS Network equipment Software PLC/RAP Other |Col1|Schneider Electric Moxa Siemens Advantech SMA Rockwell Automation Honeywell Phoenix Contact 4 Hirschmann (Belden) 4 ABB 4 SpiderControl 3 Westermo 3 Other|14 11 8 14|17|3 32|6| |---|---|---|---|---|---| 19% 28% Localization of new vulnerabilities in ICS components 8 ICS components for supervision and monitoring ----- The most common types of vulnerabilities were Information Disclosure, Remote Code Execution, and Buffer Overflow. In 2016, the first two also topped the list, and the third one was Denial of Service. 2% 3% 24% Remote Code Execution 4% Information Disclosure 5% Buffer Overflow 6% Protection Bypass Denial of Service 8% Cross-Site Request Forgery Cross-Site Scripting 9% SQL Injection Path Traversal Privilege Escalation 17% Other 10% 12% Types of vulnerabilities in ICS components According to CVSS v3 metrics, the situation remained almost unchanged as compared with 2016. Most vulnerabilities detected in 2017 can be exploited remotely without needing to obtain any privileges in advance. Availability High 48.7% Low 16.8% None 34.5% Integrity High 44.7% Low 18.8% None 36.5% Confidentiality High 56.8% Low 23.9% None 19.3% Scope Changed 14.2% Unchanged 85.8% User Interaction Required 22.3% None 77.7% Priveleges Required High 6.1% Low 16.2% None 77.7% Attack Complexity High 19.3% Low 80.7% Attack Vector Physical 0.5% Local 15.7% Adjacent 4.6% Network 79.2% |Availability Integrity Confidenti Scope User Intera Priveleges Attack Com Attack Vect 0.5|ality ction Required 6.1% plexity or % 4.6%|16.8% 18.8 19.3 14.2% 2 16.2% 19.3 15.7%|% 23.9% % 2.3% %|34.5% 36.5%|48.7 44.7%|% 56.8%|Col8|77.7 77.7 80 79.2|85.8% % % .7% %| |---|---|---|---|---|---|---|---|---|---| 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% CVSS scores of vulnerabilities ----- #### Severity of new vulnerabilities More than half of the newly reported vulnerabilities are of critical and high severity, based on CVSSv3 scoring. The share of critical vulnerabilities increased by 3% compared with 2016. 5% 20% 34% Critical High Medium Low 41% Vulnerabilities by severity level ### INTERNET ACCESSIBILITY OF ICS COMPONENTS #### Research methodology To collect information on the online accessibility of ICS components, Positive Technologies used passive methods only. To obtain the research materials, we scanned ports of Internet-accessible [components using publicly accessible search engines: Google, Shodan (shodan.io), and Censys](http://shodan.io) [(censys.io).](http://censys.io) Passive techniques for gathering data about the Internet accessibility of ICS components have several limitations: **+** Shodan scans a limited number of ports and performs scanning of the Internet from specific IP addresses, which are blacklisted by some firewall vendors and administrators. Therefore, data from Google and Censys was used to expand the scope of assessment. **+** In many cases, it was not possible to determine product versions, because the necessary information was not given in the banners returned by host servers. This data was then specially analyzed to identify which results corresponded to ICS equipment. Our experts created a database of ICS identifiers for determining product and vendor based on a device’s banner. ----- #### Prevalence The research revealed 175,632 ICS components accessible online. Looking at the protocols used by the detected ICS components, the most common protocol was HTTP, which is consistent with recent years. The Fox protocol was also very popular: it is used in Niagara Framework products and most commonly seen in automation systems for buildings, facilities, and data centers. These systems control air conditioning, power supply, telecommunications, alarms, lighting, security cameras, and other important building systems. Such automation systems often contain vulnerabilities[9] and have already been attacked in the wild.[10] HTTP 66,587 FOX 39,168 Ethernet/IP 25,631 BACnet 13,717 Lantronix Discovery Protocol 9,937 SNMP 6,668 CODESYS 1,953 Modbus 1,910 FTP 1,643 FINS 1,098 RedLion 976 Telnet 897 PCWorx 752 IEC 60870-5-104 410 S7 Communication 337 DNP3 320 Other 401 0 10,000 20,000 30,000 40,000 50,000 60,000 70,000 Number of Internet-accessible ICS components, by protocol [9 ics-cert.us-cert.gov/advisories/ICSA-12-228-01A](http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A) [10 info.publicintelligence.net/FBI-AntisecICS.pdf](http://info.publicintelligence.net/FBI-AntisecICS.pdf) |I|HTTP FOX Ethernet/IP BACnet Lantronix Discovery Pro SNMP CODESYS 1,953 Modbus 1,910 FTP 1,643 FINS 1,098 RedLion 976 Telnet 897 PCWorx 752 EC 60870-5-104 410 S7 Communication 337 DNP3 320 Other 401|13,71 tocol 9,937 6,668|25 7|,631|39,168|Col7|Col8| |---|---|---|---|---|---|---|---| ----- #### Changes in Russia In 2017, Russia jumped up three positions to number 28 in the list of countries. The number of detected ICS components grew from 591 in 2016 to 892 in 2017. These changes suggest a growing danger caused by an increasing number of Internet-accessible ICS components located in Russia. #### Geographic distribution The U.S. has held the top spot for some years now, increasing its commanding lead of Internetaccessible components by 10% in the last year to around 42% of the total. Germany took second place (6%), the same as in the previous year. Rounding out the top three is France (5%); China fell from third to sixth place. United States 64,287 Germany 13,242 France 7,759 Canada 7,371 Italy 5,858 China 4,285 United Kingdom 4,240 Spain 4,112 Netherlands 3,508 Czech Republic 2,851 Australia 2,705 Belgium 2,494 South Korea 2,483 Norway 2,314 Sweden 2,118 Brazil 1,990 Hong Kong 1,938 Other 42,077 0 10,000 20,000 30,000 40,000 50,000 60,000 70,000 Number of Internet-accessible ICS components, by country |United States Germany France Canada Italy 5, China 4,28 United Kingdom 4,24 Spain 4,112 Netherlands 3,508 Czech Republic 2,851 Australia 2,705 Belgium 2,494 South Korea 2,483 Norway 2,314 Sweden 2,118 Brazil 1,990 Hong Kong 1,938 Other|13,24 7,759 7,371 858 5 0|2|Col4|42,077|Col6|64,2| |---|---|---|---|---|---|---| ----- #### Statistics: vendors and products First place is occupied by Honeywell, the owner of Tridium and Niagara Framework. Some Niagara products retain their old brand, which is why Tridium is listed separately from Honeywell in this report. The second most popular vendor is Lantronix. This California-based company manufactures devices designed to provide remote access to equipment via the Internet. Honeywell 26,813 Lantronix 12,120 SMA 9,399 Beck IPC 9,362 Siemens 6,069 Rockwell Automation 5,594 Moxa 4,759 Schneider Electric 4,232 Tridium 2,672 Echelon 2,437 3S-Smart Software Solutions 2,156 Westermo 1,850 Bosch 1,672 Sofrel Lacroix 1,619 WAGO 1,267 SoftPLC 1,160 SpiderControl 1,121 0 5,000 10,000 15,000 20,000 25,000 30,000 Number of Internet-accessible ICS components, by vendor According to recent research,[11] several thousand Lantronix interface converters are accessible on the Internet. Almost half of these devices expose passwords that could be used to connect via Telnet. Our research confirms this fact: we detected 12,120 accessible Lantronix devices in total, a number of which were vulnerable. Despite their auxiliary role, these devices can pose a significant hazard to operations when connected to the Internet. Interface converters connect ICS components to each other, so any malfunction or failure on their part can cause loss of remote control and management. For example, during a cyberattack on the Ukrainian energy grid,[12] the attackers remotely disrupted the functioning of Moxa converters. As a result, utility operators could no longer connect to field devices at substations or remotely control substation switches. As in prior years, Niagara Framework is the software most commonly found on Internet-accessible equipment. Apart from Lantronix interface converters, which hold second place, Moxa converters are also close to the top. [11 bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/](https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/) [12 boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf](http://boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf) |Honeywell Lantronix SMA Beck IPC Siemens Rockwell Automation Moxa Schneider Electric Tridium 2,6 Echelon 2,4 3S-Smart Software Solu 2,15 Westermo 1,850 Bosch 1,672 Sofrel Lacroix 1,619 WAGO 1,267 SoftPLC 1,160 SpiderControl 1,121|6,069 5,594 4,759 4,232 72 37 tions 6|12,1 9,399 9,362|20|Col5|26,81| |---|---|---|---|---|---| ----- |Niagara Framework Lantronix Serial Conver Sunny WebBox IPC@CHIP Allen-Bradley Device Moxa Nport Siemens Building Tech i.LON SmartServer 2,22 3S-Smart Software Solu 1,953 Bosch Security Systems 1,672 Westermo MRD-310 1,647 Sofrel S500 1,619 WebRTU 1,383 Niagara Web 1,372 Niagara AX station 1,300|ter 4,906 4,589 nologies HMI Panel 4,310 0 tions Device|9,937 9,399 9,362|Col4|Col5|24,858| |---|---|---|---|---|---| 0 5,000 10,000 15,000 20,000 25,000 30,000 Internet-accessible ICS components, by product #### Types of ICS components The distribution of Internet-accessible components by types remained almost the same. The only difference from 2016 is a significant increase in the share of network equipment.[13] Share of ICS components accessible on the Internet, by type **Type of ICS component** **Share in 2017** **Share in 2016** SCADA/DCS/HMI and/or PLC/RAP (RTU)[13] 14.2% 13.6% PLC/RAP (RTU) 13.2% 12.9% Network equipment 12.9% 5.1% SCADA/DCS/HMI 7.1% 7.8% Electrical measuring equipment 6.3% 5.2% Other 46.5% 55.5% 13 This type includes components that can be classified under multiple types, such as Niagara Framework multifunction products. |Type of ICS component SCADA/DCS/HMI and/or PLC/RAP (RTU)13|Share in 2017 14.2%|Share in 2016 13.6%| |---|---|---| |PLC/RAP (RTU)|13.2%|12.9%| |Network equipment|12.9%|5.1%| |SCADA/DCS/HMI|7.1%|7.8%| |Electrical measuring equipment|6.3%|5.2%| |Other|46.5%|55.5%| ----- ### CONCLUSION The 2017 data shows an increasing number of vulnerabilities publicly acknowledged by major ICS vendors. More than half of the detected vulnerabilities are of critical or high severity. The number of Internet-accessible ICS components is growing. The majority of them were detected in the countries with the highest levels of industrial automation (U.S., Germany, France, Canada, Italy, and China). An increase in the number of known vulnerabilities and Internet-accessible ICS components allows attackers to conduct a wider range of attacks, which can cause very tangible impacts. Responding to sophisticated attacks on ICS components requires large amounts of preparation and planning. Before the first line of code is ever written, ICS developers must design the security mechanisms necessary to protect ICS components from attacks. To identify potential attack vectors and develop an effective protection system, companies should perform regular ICS security audits and deploy industrial cybersecurity incident management solutions. As always, observing the following basic security guidelines goes a long way toward ensuring protection: **+** Segregate ICS operational networks from the enterprise LAN and external networks. **+** Limit physical access to ICS networks and components. **+** Enforce a strict password policy. **+** Properly configure network equipment and firewall filtering rules. **+** Protect privileged accounts. **+** Minimize privileges of users and services. **+** Use antivirus software. **+** Regularly install updates to operating systems and applications. About Positive Technologies Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition from the analyst community. Learn more about Positive Technologies at ptsecurity.com. © 2018 Positive Technologies. Positive Technologies and the Positive Technologies logo are trademarks or registered trademarks of Positive Technologies. All other trademarks mentioned herein are the property of their respective owners. [info@ptsecurity.com](mailto:info%40ptsecurity.com?subject=) [ptsecurity.com](http://www.ptsecurity.com) -----