The nation’s infrastructure, largely administered by IT systems knows as SCADA, is firmly in the crosshairs of our enemies, public officials have increasingly warned. Last autumn, US Defense Secretary Leon Panetta talked about an impending “Cyber Pearl Harbor,” while newly confirmed US Secretary of State John Kerry commented last month that cyber-attacks are the equivalent of modern-day nuclear weapons. Meanwhile, Janet Napolitano, Secretary of the Department of Homeland Security, warned that a “cyber- 9/11” is a very real possibility.
The comments have touched off discussions around the level of hyperbole they may represent, but NSS Labs’ Vulnerability Threat Report has put some numbers around the threat. The report revealed significant spikes in hardware and software vulnerabilities, which overall rose a 26% in 2012, reversing five straight years of declines. SCADA-specific vulnerabilities accounted for a relatively low total number of those (124 in 2012), but are still up the aforementioned 600%. That is likely due to the fact that many of the systems are aging and out of date.
Unfortunately, with tools now available to easily identify internet-facing ICS/SCADA systems, NSS expects that the arms race has only just started – it said that it expects security issues within these systems to continue increasing, it said.
“While vulnerabilities in 2012 haven’t returned to the all-time high levels we saw in 2006, it’s significant that after five years of decline, the number of disclosed vulnerabilities rebounded sharply and jumped 26% in one year,” said Stefan Frei, research director at NSS Labs. "It is not just the number of vulnerabilities that matters, however. The level of criticality, how easily a vulnerability can be exploited, and the types of software they affect are all part of determining how serious a threat any single vulnerability might pose and these are trends we continue to watch.”
Unfortunately for cyber-fighters, highly critical vulnerabilities combined with low attack complexity pose the greatest threats: In 2012, 9.2% of disclosed vulnerabilities had a common vulnerability scoring system base score of 9.9 or more paired with a low attack complexity. This combination of a highly critical vulnerability that is fairly easy to attack or exploit represents a “perfect match” for cybercriminals who can now do more damage with less skill.
“The growing number of vulnerabilities being disclosed in ICS/SCADA systems, in particular, is very concerning – not only for vendors developing these systems, but also for governments around the world that would have to respond to any catastrophic consequences from attacks against critical infrastructures,” said Frei.
The report also turned up the fact that 1% of vendors account for 31% of the vulnerabilities disclosed per year, and only one of the top 10 vendors – Microsoft – managed to decrease its vulnerability disclosures in 2012 compared to its average number of disclosures in the previous decade.
That said, vulnerabilities are affecting larger numbers of vendors than before. Vulnerabilities disclosed in 2012 affected over 2,600 products from 1,330 vendors – 73% of these were new vendors who had not had a vulnerability disclosure with the previous two years. These new vendors accounted for 30% of the total vulnerabilities disclosed in 2012. While recurring vendors may still represent the bulk of vulnerabilities reported, research shows that the vulnerability and threat landscape continues to be highly dynamic with new vendors continually emerging as technologies (and threats) evolve.