WIXLIB

Common Cybersecurity Vulnerabilities Identified inDHS Industrial Control Systems Products1.INTRODUCTIONThe U.S. Department of Homeland Security(DHS) National Cyber Security Division’s ControlSystems Security Program (CSSP) performscybersecurity assessments of industrial controlsystems (ICS) to reduce risk and improve thesecurity of ICS and their components used incritical infrastructures throughout the UnitedStates. DHS also sponsors the Industrial ControlSystems Cyber Emergency Response Team (ICSCERT) to provide a control system security focusin collaboration with US-CERT (United StatesComputer Emergency Readiness Team). Thisreport has been developed to share the knowledgeand information gained by both of these programs.This report correlates and compilesvulnerabilities from general knowledge gainedfrom DHS CSSP assessments and ICS-CERTactivities and reports the most common types ofcybersecurity vulnerabilities as they relate to ICS.DHS CSSP derives the information based on thefollowing activities:defining security controls. Standard cybersecurityconcepts apply to all computer hardware andsoftware, and common issues in ICS can bediscussed in general terms.Common ICS vulnerabilities and associatedrecommendations are discussed in this report.Insight is gained into the current state of ICSsecurity through high-level analysis of the problemareas by information gathered from CSSP ICSsecurity assessments and ICS-CERT alerts,advisories, and incident response.This report is organized in three sections.First, the different sources of ICS vulnerabilityinformation are summarized. Then the commonICS vulnerabilities are presented according tocategories that describe a general problemobserved in multiple ICS security assessments.These three general categories are grouped by:1. Vulnerabilities inherent in the ICS product Cybersecurity assessments of ICS products2. Vulnerabilities caused during the installation,configuration, and maintenance of the ICS Published products derived from operation ofICS-CERT3. The lack of adequate protection because ofpoor network design or configuration. Self-assessments of asset owner facility usingthe Cyber Security Evaluation Tool (CSET).Nonattributable ICS vulnerabilities are listedwith the common vulnerability descriptions to aidin understanding the issues. Generalrecommendations based on empirical knowledgegained through performing ICS securityassessments are then grouped by softwaredevelopment recommendations for ICS vendors,ICS network configuration, and maintenancerecommendations for ICS owners.The term “ICS,” as used throughout thisreport, includes Supervisory Control and DataAcquisition (SCADA) systems, Process ControlSystems, Distributed Control Systems, and othercontrol systems specific to any of the criticalinfrastructure industry sectors. Althoughdifferences in these systems exist, their similaritiesenable a common framework for discussing and1

2.VULNERABILITY INFORMATION SOURCESThis report is an update of a previous reportfirst published in 2009.1 The previous documentcompiled common vulnerabilities identified duringcybersecurity assessments of new ICS productsand production ICS installations. This report addsthe information gained from subsequent ICScybersecurity assessments with new content fromICS-CERT products, field-knowledge gained byICS-CERT incident response, and onsiteassessments assisting ICS owners in using theCSET self-assessment tool.These different sources of ICS vulnerabilityinformation provide a more complete picture ofICS security: (1) CSSP has performedcybersecurity assessments of ICS software andproduction installations since 2004, (2) ICS-CERTstarted publishing vulnerability information andassisting in incident response in 2010, and (3)CSSP has assisted in Control System CyberSecurity Self-Assessment Tool (CS2SAT) andCSET policy self-assessments since 2006, Each ofthese sources is covered in the subsequent sectionsfollowed by a discussion of the compiled sourceinformation and a comparison against informationfrom past years.2.1CSSP ICS SecurityAssessmentsThe DHS National Cyber Security Divisionestablished the CSSP to help industry andgovernment improve the security of the ICS usedin critical infrastructures throughout the UnitedStates. A key part of the CSSP mission is theassessment of ICS to identify vulnerabilities thatcould put critical infrastructures at risk to cyberattack. Once these vulnerabilities are identified,mitigation strategies are developed to enhance ICSsecurity.CSSP has established a collaborative effortamong vendors, owners/operators, industrypartners, and other national laboratories to providean assessment environment where ICS can beevaluated for security vulnerabilities. Thiscontrolled environment allows realisticassessments of systems and components without2the adverse consequences resulting from potentialsystem failures.Assessments are performed at ControlSystems Analysis Center, located at the IdahoNational Laboratory, to evaluate vendors’ ICSsoftware. Assessments also are performed at ICSsites in order to assess security issues due to theinterdependencies and network design ofoperational ICS installations. Operational ICSassessments use nonintrusive methods, such asreviewing the production system networkdiagrams and firewall rules, and performing ahands-on assessment of a duplicate nonproductioninstallation of the system.The primary goal of the CSSP cybersecurityassessments is to improve the security of thecritical infrastructure by delivering to eachindustry partner a report of all security problemsfound during the assessment along with associatedrecommendations for improving the security oftheir product or infrastructure (as appropriate).The CSSP has performed assessments on a largevariety of systems, and for each assessment, CSSPtailors the assessment plan and methodology toprovide the most value to the customer owning thesystem. System configurations also varyconsiderably depending on ICS functionality,negotiated objectives, and whether the assessmentwas conducted in the laboratory or onsite. In allcases, the architecture and boundaries for thesystem under test are carefully determined.Assessment targets are developed individually foreach assessment based on the system configurationand assessment focus in order to address theconcerns of the partners. Although a commonapproach is used for all assessments, the details ofeach assessment vary; the fact that a vulnerabilitywas not listed on a particular system report doesnot imply that it did not exist on that system.CSSP vulnerability identification activities focuson enabling the identification and remediation ofthe highest risk ICS cybersecurity vulnerabilitiesrather than the collection of data for statisticalpurposes. One should keep this in mind wheninterpreting common vulnerability data.

Laboratory assessments are designed toevaluate vendor-specific products and services,such as custom protocols, field equipment,applications, and services. Ideally, the systems areassessed in multiple phases: (1) a baseline systemassessment that identifies vulnerabilities in thevendor’s default configuration and (2) anevaluation of the system following implementationof mitigation strategies based on baselineassessment results. In some cases, more than twoassessments have been performed on differentversions of an ICS. Assessment projects typicallyleverage a full-disclosure approach with thevendor and asset-owner partners. The CSSP focusis on the ICS and its perimeter. By collectingbackground architecture, policy, and configurationdata from a project partner, the team can perform amore thorough assessment of the system.Penetration testing is a security validation processperformed by many commercial entities. CSSPdoes not simulate a blind attack or penetration ofthe system, but instead works with the projectpartner to gain the best understanding of securityissues obtainable within the time constraints, andprovide insight to help mitigate the vulnerabilitiesfound.2.1.1The highest percentage of vulnerabilitiesidentified during ICS product assessmentscontinue to be due to improper input validation byICS code. Poor access controls are the secondmost common security weakness identified in ICSsoftware in 2009 2010. Authenticationweaknesses follow in third place.Vulnerabilities reported from the previousCSSP ICS product assessments include more patchmanagement and password problems than themore recent findings. This may be more indicativeof the types of systems that were assessed than achange in ICS vulnerability.Common CSSP ICSCybersecurity AssessmentVulnerabilitiesThe previous report1 presented results from15 ICS cybersecurity assessments performed bythe CSSP from 2004 through 2008. Threeadditional ICS product assessments are included inthis report. Figure 1 shows the categories ofvulnerabilities that were identified in the threeproduct assessments performed in 2009 and 2010.Table 1 summarizes these vulnerabilities.Figure 1. Categories of vulnerabilities identified in2009–2010 CSSP product assessments.3

Table 1. Common security weaknesses identified in 2009–2010 CSSP product assessments.2.2ICS-CERT ProductsICS-CERTb provides a control system securityfocus in collaboration with US-CERT to: Respond to and analyze control systemsrelated incidents Conduct vulnerability and malware analysis Provide onsite support for incident responseand forensic analysis Provide situational awareness in the form ofactionable intelligenceb. http://www.us-cert.gov/control systems/ics-cert/4 Coordinate the responsible disclosure ofvulnerabilities/mitigations Share and coordinate vulnerability informationand threat analysis through informationproducts and alerts.ICS-CERT serves as a key component of theStrategy for Securing Control Systems, whichoutlines a long-term, common vision whereeffective risk management of control systemssecurity can be realized through successfulcoordination efforts.This report uses information gathered fromICS-CERT alerts and advisories publishedbetween October 2009 and December 2010. Inaddition, general knowledge gained from incident

response and forensic analysis is included in thisreport as well.2.2.1Common ICS-CERTVulnerability AnnouncementsICS-CERT alerts and advisories containinformation about suspicious cyber activity,incidents, and vulnerabilities affecting criticalinfrastructure control systems. An ICS-CERT alertdiscloses information about an ICS-relatedvulnerability that was reported to them. An ICSCERT Advisory is intended to provide awarenessor solicit feedback from critical infrastructureowners and operators concerning ongoing cyberevents or activity with the potential to impactcritical infrastructure computing networks.Figure 2 shows the categories ofvulnerabilities that were reported to ICS-CERT in2009 and 2010. The highest percentage of reportedICS vulnerabilities are buffer overflowvulnerabilities. Credentials management andauthentication weaknesses make up the bulk of theremaining published ICS vulnerabilities. Table 2summarizes the vulnerabilities that were reportedto ICS-CERT in 2009 and 2010.Figure 2. Percentage of 2009 2010 ICS-CERTvulnerability disclosures.Table 2. Common security weaknesses reported to ICS-CERT in 2009 and 2010.5

2.2.1.1Common Incident ResponseObservationsICS-CERT incident response activities areperformed at the request of owners and operatorsto assist in the review of network architecture,security practices, and system configurations. ICSCERT incident response participants haveobserved an overall lack of defense-in-depth atICS installations. Table 3 shows the biggestsecurity weaknesses observed at ICS installations.Some of the sites visited had not segmentedthe control network and had multiple connectionsfrom the control network to the corporate networkand to remote sites as one flat network. Many peerand remote site connections were routed overleased networks. Many sites did not limit accessbetween their disparate locations. This means thatonce any host on the company’s network iscompromised, there are few access controlspreventing malicious intent.Table 3. Major incident response observations.Firewalls should be used to filter trafficbetween security zones. Some sites hadimplemented network segmentation using VLANs(virtual local area networks) without firewalls.Firewalls should be used to block unauthorizedtraffic in the case that the VLAN access controlsare subverted.User permissions and access controls shouldalso be limited to those necessary to perform theirroles. Some sites trusted all users equally orallowed more access than necessary.After an incident has occurred, systems logscan be used to help determine the cause of theproblem or how the system was attacked. Manysites either did not store system logs or overwrotethem within a short period of time. Though notfrontline cybersecurity barrier against a threat,event monitory and logging is critical to thecapture of forensic data, which ultimately couldlead to additional cybersecurity resilience.2.3CSET Self-Assessment ToolThe CSETc combines the functionality of twoearlier tools, the CS2SAT, and the Cyber SecurityVulnerability Assessment Tool. The CyberSecurity Vulnerability Assessment Toolfunctionality is called Enterprise Evaluation or EEin CSET.CSET is a self-assessment software standardsapplication for performing cybersecurity reviewsof industrial control and enterprise networksystems. The tool may be used by anyorganization to assess the cybersecurity posture ofICS that manage a physical process or enterprisenetwork. The tool also provides information thatassists users in resolving identified weaknesses intheir networks and improving their overall securityposture.CSET provides users in all infrastructuresectors with a systematic and repeatable approachfor performing assessments against multiplestandards, recommended security practices, andindustry requirements. CSET provides a flexiblequestion and answer format for performing

industrial control systems (ICS) to reduce risk and improve the security of ICS and its components used in critical infrastructures throughout the United States. ICS differ