[ToolsWatch.Org](http://toolswatch.org)
November 5, 2015

# ICS/SCADA Top 10 Most Dangerous
 Software Weaknesses


### by NJ OUCHN

This study is not affiliated with the MITRE Corporation even if the title has a
similarity in its formulation with the **CWE/SANS Top 25 Most Dangerous Software**
**Errors1 . In fact, it is my own initiative led in the context of statistics validation**

regarding the vulnerability databases.

1 [http://cwe.mitre.org/top25/](http://cwe.mitre.org/top25/)

( ) T [l W t h](http://toolswatch.org) 1 f 12


-----

## Technological
 progress is like an axe in the hands of a pathological criminal.

_-Albert Einstein_

The followed methodology is quite different from the MITRE since it is based on statistical data
extracted from vFeed the Vulnerability and threat Database. The MITRE methodology 2

leveraged the Common Weakness Scoring System (CWSS) to categorize and assess the 3

weaknesses scores by over 20 contributing organizations.

Therefore, I have found it useful to focus on the vulnerabilities and weaknesses related to the
Industrial Systems as they are increasingly targeted by new sophisticated attacks.

According to the SANS security experts, during the previous RSA conference, the Industrial
System Controls attacks were listed amongst the top 6 emerging and trending new techniques.

[2 https://github.com/toolswatch/vFeed](https://github.com/toolswatch/vFeed)

[3 http://cwe.mitre.org/cwss](http://cwe.mitre.org/cwss)

( ) T [l W t h](http://toolswatch.org) 2 f 12


The followed methodology is quite different from the MITRE since it is based on statistical data
extracted from vFeed the Vulnerability and threat Database. The MITRE methodology


-----

The ICS/SCADA Top 10 Most Dangerous Software Weaknesses list has been compiled on
the basis of the following assumptions :

1. The vulnerability database used in this research is vFeed (Database build 10032015). The latter
was developed with the main objective to collect and correlate a maximum of information
issued by third party vendors. The database accuracy and coverage were thoroughly
validated by the MITRE.
vFeed has been awarded with 3 certifications : Common Vulnerability Enumeration (CVE), 4

Common Weakness Enumeration (CWE) and Open Vulnerability Assessment Language
(OVAL) . A piece of code which relied on to collect and analyze the big amount of
information is provided in the Appendix.

2. The analyzed vulnerabilities are fundamentally associated with the manufacturers listed by
the ISC-CERT. This approach seemed to be rational since the ISC-CERT officially 5

coordinates the disclosure of security threats and vulnerabilities regarding the Industrial
Control Systems. The list of vendors is provided in the Appendix.

3. Numerous vulnerabilities are missing the CWE identifier. As a matter of fact the National
Vulnerability Database (NVD) only supports the CWEs listed here 6 https://nvd.nist.gov/

cwe.cfm#cwes
Currently and in the context of this study, I have identified 147 CVEs related to 469 different
products missing a CWE. However it was fairly simple to identify the missing adequate
CWE. Nevertheless,it is time consuming and not the purpose of this paper. I will later
communicate the list to NVD with a proposal of the missing CWEs.

4. Each CPE is treated as unique. Therefore, a vendor whose product containing several
vulnerable versions (CPEs) to the same CVE will be counted as many.

Ex: CVE-2012-4690 (CWE-16) hits 4 separate versions of the product Micrologix Controller
edited by _Rockell Automation. Therefore, the CWE-16 is counted 4 times. Which is_
perfectly logical in my opinion.

5. The most vulnerable products are the most known and widely used by the industries.
Therefore when a vendor wins a worldwide reputation, he must acknowledge it.

6. The Excel spreadsheet used for this paper can be obtained freely by email request to
[hacker@toolswatch.org or via twitter (@toolswatch)](mailto:hacker@toolswatch.org)

4 https://github.com/toolswatch/vFeed/wiki/%5B1%5D-vFeed-Framework-(API-&-Correlated-Vulnerability
Database)

[5 https://ics-cert.us-cert.gov/alerts-by-vendor](https://ics-cert.us-cert.gov/alerts-by-vendor)

[6 https://nvd.nist.gov/](https://nvd.nist.gov/)

( ) T [l W t h](http://toolswatch.org) 3 f 12


-----

## The ICS/SCADA Top 10 List 

#### Rank ID Title

Improper Restriction of Operations within the Bounds of a Memory
**1** CWE-119
Buffer

**2** CWE-20 Improper Input Validation

Improper Limitation of a Pathname to a Restricted Directory ('Path
**3** CWE-22
Traversal')

**4** CWE-264 Permissions, Privileges, and Access Controls

**5** CWE-200 Information Exposure

**6** CWE-255 Credentials Management

**7** CWE-287 Improper Authentication

**8** CWE-399 Resource Management Errors

Improper Neutralization of Input During Web Page Generation
**9** CWE-79
('Cross-site Scripting')

**10** CWE-189 Numeric Errors

#### CWE-119
The software performs operations on a memory buffer, but it can read from or write to a
memory location that is outside of the intended boundary of the buffer.

#### CWE-20
When software does not validate input properly, an attacker is able to craft the input in a form
that is not expected by the rest of the application. This will lead to parts of the system receiving
unintended input, which may result in altered control flow, arbitrary control of a resource, or
arbitrary code execution

#### CWE-22
The software uses external input to construct a pathname that is intended to identify a file or
directory that is located underneath a restricted parent directory, but the software does not
properly neutralize special elements within the pathname that can cause the pathname to
resolve to a location that is outside of the restricted directory.

( ) T [l W t h](http://toolswatch.org) 4 f 12


-----

#### CWE-264
Weaknesses in this category are related to the management of permissions, privileges, and
other security features that are used to perform access control.ry.

#### CWE-200
An information exposure is the intentional or unintentional disclosure of information to an actor
that is not explicitly authorized to have access to that information.

#### CWE-255
Weaknesses in this category are related to the management of credentials.

#### CWE-287
When an actor claims to have a given identity, the software does not prove or insufficiently
proves that the claim is correct.

#### CWE-399
Weaknesses in this category are related to improper management of system resources.

#### CWE-79
The software does not neutralize or incorrectly neutralizes user-controllable input before it is
placed in output that is used as a web page that is served to other users.

#### CWE-189
Weaknesses in this category are related to improper calculation or conversion of numbers.

( ) T [l W t h](http://toolswatch.org) 5 f 12


-----

## Affected Vendors per Category of Weaknesses

#### CWE-119 Top 5 affected Vendors

Rockwell Automation 78

Triangle MicroWorks 80

Siemens 105

Schneider Electric / Invensys 146

Sielco Sistemi 153

40 80 120 160

Total CPE

#### CWE-20 Top 5 affected Vendors

MeasureSoft 45

GE 56

Siemens 73

Triangle MicroWorks 116

Sielco Sistemi 164

45 90 135 180

Total CPE

#### CWE-22 Top 5 affected Vendors

GE 25

MeasureSoft 45

Siemens 49

Sielco Sistemi 54

Schneider Electric / Invensys 72

20 40 60 80

Total CPE

( ) T [l W t h](http://toolswatch.org) 6 f 12


#### 164


#### 153


#### 105


#### 56


#### 80


#### 54


#### 45


#### 72


-----

Ecava

GE

Emerson

Schneider Electric /Invensys

Siemens

Innominate

Rockwell Automation

Advantech

MeasureSoft

Siemens

Cogent Real-Time Systems

Advantech

Sierra Wireless

intellicom

Siemens

Koyo

Sierra Wireless

Rockwell Automation

azeotech

Siemens


#### CWE-264 Top 5 affected Vendors

 124

35 70 105 140

Total CPE

#### CWE-200 Top 5 affected Vendors

 45

 93

25 50 75 100

Total CPE

#### CWE-255 Top 5 affected Vendors

 20

 21

 51

15 30 45 60

Total CPE
#### CWE-287 Top 5 affected Vendors

 16

 20

 36

 50

 60

15 30 45 60

( ) T [l W t h](http://toolswatch.org) T t l CPE 7 f 12


#### 124


#### 16


#### 45


#### 16


#### 60


#### 36


#### 16


#### 12


#### 14


#### 51


-----

Control MicroSystems

Rockwell Automation

microsys

CSWorks

Siemens

Advantech

Emerson

CSWorks

Cogent

Schneider Electric /Invensys

Siemens

Trihedral

Siemens

Rockwell Automation

3s-software

Sielco Sistemi


#### CWE-399 Top 5 affected Vendors

 17

 19

 21

 25

 44

12.5 25 37.5 50

Total CPE

#### CWE-79 Top 5 affected Vendors

 9 9 17 20 31 69

17.5 35 52.5 70

Total CPE

#### CWE-189 Top 5 affected Vendors

 110

30 60 90 120

Total CPE

( ) T [l W t h](http://toolswatch.org) 8 f 12


#### 110


#### 19


#### 20


#### 13


#### 17


#### 17


#### 21


#### 9


-----

## Appendix

_360 Systems_

_3S-Smart Software Solutions_

_7-Technologies_

_ABB_

_Accuenergy_

_Advantech_

_Alstom_

_Amtelco_

_Arbiter Systems_

_ARC Informatique_

_Areva_

_Automated Solutions_

_AzeoTech_

_Atvise_

_Beckhoff_

_Beijer Electronics_

_C3-ilex_

_Canary Labs, Inc._

_CareFusion_

_Carlo Gavazzi_

_Catapult Software_

_Certec_

_Citect_

_Clorius Controls_

_CG Automation_

_Cisco_

_Cogent Real-Time Systems Inc_

_Cobham_

_Cooper Power Systems_

_Copa-Data_

_Control MicroSystems_

_CSWorks_

_Digi International_

_Digital Electronics_

_Ecava_

_Elecsys_


( ) T [l W t h](http://toolswatch.org) 9 f 12


-----

_Elipse_

_Emerson_

_Fanuc_

_Festo_

_Fox-IT_

_Fultek_

_Galil_

_GarrettCom_

_GE_

_LiveData_

_Gesytec_

_Honeywell_

_I-GEN_

_Iconics_

_Inductive Automation_

_InduSoft_

_Innominate_

_Intellicom_

_IOServer_

_Kepware Technologies_

_Korenix_

_Koyo_

_MatrikonOPC_

_MeasureSoft_

_Meinberg_

_Microsys_

_Mitsubishi Electric Automation_

_Monroe Electronics_

_Morpho_

_Moxa_

_National Instruments_

_NETxAutomation_

_Nordex_

_NovaTech_

_Ocean Data_

_OleumTech_

_Omron_

_Open Automation Software_


( ) T [l W t h](http://toolswatch.org) 10 f 12


-----

_Optimalog_

_ORing_

_OSIsoft_

_Philips_

_Phoenix Contact Software_

_Post Oak Traffic Systems_

_Progea_

_ProSoft Technology_

_QNX_

_RealFlex Technologies_

_Rockwell Automation_

_RuggedCom_

_SafeNet_

_Samsung_

_SCADA Engine_

_ScadaTEC_

_Schneider Electric_

_Schweitzer Engineering Laboratories_

_Sensys Networks_

_Sielco Sistemi_

_Siemens_

_Sierra Wireless_

_Sinapsi_

_Sixnet_

_Sisco_

_Software Toolbox_

_SpecView_

_Subnet Solutions Inc._

_Sunway_

_Takebishi Electric_

_Triangle MicroWorks_

_Tridium_

_Trihedral Engineering Ltd_

_Tropos_

_Turck_

_Unitronics_

_Wago_

_WellinTech_


( ) T [l W t h](http://toolswatch.org) 11 f 12


-----

_Wind River Systems_

_xArrow_

_Xzeres_

_Yokogawa_

### Code used to extract data

#!/usr/bin/env python

from lib.core.search import Search

def check_app(product_app):
try:
Search(product_app)
except:
return

def check_os(product_os):
try:
Search(product_os)
except:
return

def check_hw(product_hw):
try:
Search(product_hw)
except:
return

def main():
print '================================================================='
print "ICS/SCADA Top 10 Most Dangerous Software Errors "
print '================================================================='

vendor_list = 'vendors.txt'
vendor_list = open(vendor_list, "r")
for line in iter(vendor_list):
line = line.strip().split(";")
#print "vendor:", line[0]
products = line[1].strip().split(",")
for product in products:
product_app = product
check_app(product_app)
product_os = product.replace("cpe:/a:","cpe:/o:")
check_os(product_os)
product_hw = product.replace("cpe:/a:","cpe:/h:")
check_hw(product_hw)

if __name__ == '__main__':
main()

( ) T [l W t h](http://toolswatch.org) 12 f 12


-----