The new report, titled “Overload: Critical Lessons from 15 Years of ICS Vulnerabilities,” analyzed 1,552 vulnerabilities discovered affecting ICS products since 2000 and found that 90% of the vulnerabilities were discovered after 2010. Thirty-three percent of the vulnerabilities (516 out of 1,552) did not have a patch available when publicly disclosed.
This was due in some instances to researchers not disclosing flaws to vendors. In several cases, vendors simply opted to classify the affected products as “end of lifecycle” instead of addressing the vulnerability, FireEye ICS intelligence manager Sean McBride told SCMagazine.com.
“Many of these are unpatched — and some are simply unpatchable due to outdated technology —providing open paths for adversarial exploitation,” the report stated.
The study examined only “ICS-specific vulnerability disclosures,” and excluded flaws that focused on “general purpose operating systems” or third-party software vulnerabilities such as POODLE or Heartbleed.
McBride said Stuxnet was an “earth-shattering moment” for researchers that motivated many professionals to uncover “low-hanging fruits” affecting industrial control system. “Those raw numbers have not fallen off in the five years since Stuxnet,” he said.
In some cases, researchers had disclosed flaws significantly before the first attack was exploited. The Path Traversal vulnerability had been publicly disclosed “years before it was exploited in the wild” targeting SCADA-based systems,” McBride said. Considering the lessons learned from this case, he warned that there are a lot of vulnerabilities that are “dangerous to ignore.”
The number of disclosed ICS vulnerabilities will continue rise at an average of 5 percent in coming years, FireEye researchers predicted. The report also predicted that incidents of ICS-specific vulnerabilities exploited in the wild “will slowly accrue.”