Manufacturers do not hurry to eliminate vulnerabilities in SCADA-systems

25 May 2017, 23:05 | Technologies

photo InternetUA

Text Size:

Automatic control and information collection systems (SCADA) are actively used for dispatch control in industry and energy, so attacks on SCADA systems can pose a significant threat to various critical infrastructure objects. The Human Machine Interface (HMI) is one of the important components of SCADA and its compromise will allow attackers to gain access to critical infrastructures. Trend Micro experts analyzed ICS-CERT warnings for the period from 2015 to 2016 related to HMI vulnerabilities, and came to disappointing conclusions.

As it turned out, 20% of the vulnerabilities investigated occurred due to memory corruption (buffer overflow, out-of-bounds read / write vulnerability, and t. ); 19% of problems were associated with credentials (wired passwords, hidden accounts with full rights, storing passwords in clear form); 23% of vulnerabilities arose due to the lack of authorization mechanisms; 9% of problems allowed the introduction of code.

It is noteworthy that for the last four years the efficiency of removing vulnerabilities has remained practically at the same level - about 140 days. As noted, manufacturers of SCADA-systems focus on industrial equipment, rather than software, because it is hardware that brings them a big profit.

The report also indicates mistakes made by companies. For example, many of them eliminate only certain vulnerabilities (replace vulnerable APIs, disable problematic functions and t. ), But not more than that.

"Manufacturers of HMI and SCADA solutions should take into account life-cycle security practices implemented by OS and application developers over the past ten years. In addition, they should expect that their products will be used for other purposes, for example, they will be connected to a public network. Taking into account worst-case scenarios, developers can implement comprehensive security measures, "the researchers report.

SCADA (Supervisory Control And Data Acquisition) is a software package designed to develop or provide real-time systems for collecting, processing, displaying and archiving information about a monitoring or control object. SCADA-systems are used in all branches of the economy, where it is required to provide automatic control of technological processes in real time.