Common Control System Vulnerabilities

Last month the Department of Homeland Security (DHS) National Cyber Security Division’s Control Systems Security Program (CSSP) released a report on the results of 15 control systems assessments that the CSSP has conducted since 2004. With only 15 assessments this is hardly a comprehensive look at industrial control systems (ICS) cyber vulnerabilities, but it does provide a window into the typical problems found in control system applications. These assessments were not done on live installations of control systems. The assessments were done using techniques such as “reviewing the production system network diagrams and firewall rules, and performing a hands-on assessment of a duplicate nonproduction installation of the system” (pg 1). “This controlled environment allows realistic assessments of systems and components without the adverse consequences resulting from potential system failures.” One of the scary aspects of this report is found on page 5 in the “Impact on ICS Security” section of the report:

“Although not all findings have been addressed, most systems have been modified to improve security based on assessment reports. After-action validation of mitigations to identified security flaws are performed by the CSSP assessment team to help ensure the security assessments are successful in increasing critical infrastructure security. Some of the vendors have been forthright in sharing the results with their customers, and some have felt that any disclosure of vulnerabilities could lead to exposure of their customers to potential cyber attacks.”

I’m not sure what disturbs me more the ‘not all findings have been addressed’ or the ‘some of the vendors have been forthright in sharing’ comments. The combination of the two should be enough to convince people in the chemical security community that there is a significant problem with the security of industrial control systems that are such an integral part of so many high-risk chemical facilities. Types of Vulnerabilities The report loosely groups assessed vulnerabilities into “nine general security problems that sum up the main weaknesses that ICS products and installations are prone to have due to legacy code, lack of security training and requirements, and ICS operational requirements” (pg 9). The top three (by % of assessment findings) problem areas are (pg 7): poor network protocol implementations (26%), information disclosure (21%), weak authentication (18%). The common vulnerabilities found in the network protocol implementation category include (pg 8, Table 1):

“Lack of input validation: Buffer overflow in ICS service “Lack of input validation: Lack of bounds checking in ICS Service “ICS protocol uses weak authentication “ICS protocol uses weak integrity checks “ICS product relies on standard IT protocol that uses weak encryption”

The common vulnerabilities found in the information disclosure category include (pg 8, Table 1):

“Unencrypted proprietary ICS protocol communication “Unencrypted nonproprietary ICS protocol communication “Unencrypted services common in IT systems “Open network shares on ICS hosts “Weak protection of user credentials “Information leak through unsecure service configuration”

The common vulnerabilities found in the weak authentication category include (pg 8, Table):

“ICS uses standard IT protocol that uses weak encryption “Use of standard IT protocol with clear-text authentication “Client-side enforcement of server-side security “Improper security configuration “No password required “Weak passwords “Weak password requirements”

Control System Security Debate This document is a valuable addition to the cyber security debate. Industrial control systems are used in a wide variety of settings, but they are of special interest to the chemical security community. ICS are a key component of most chemical manufacturing systems and even purely distributional facilities frequently use these systems to control loading and unloading operations. Security vulnerabilities in the ICS must be seen as potential avenues for attacks on high-risk chemical facilities using those systems. The current Site Security Plan implementation does address the issue of cyber security, including security issues associated with ICS. It does not include the same level of ICS assessment described in this assessment. This is certainly reasonable given the high level of complexity of the existing SSP, the limitations imposed by the authorizing legislation, and the level of expertise required to do these assessments. But, sooner or later, detailed assessments of security of cyber control systems will need to be done at the high-risk chemical facilities covered by CFATS.