I don’t think it is just me. The number of alerts I have been getting over the last few weeks regarding vulnerabilities in very mainstream industrial control system components seems to be out of control.
Here are just a few:
- April 20th – CISA releases 10 Industrial control system (ICS) advisories. This includes Hitachi/ABB, Rockwell, Delta Industrial, Eaton, Siemens and Mitsubishi. The vulnerabilities are all over the board from out of bounds reads and writes to SQL injections to improper privilege management and other issues.
- April 15th – CISA releases 2 ICS advisories. These are for Schneider and EIP Stack Group. These vulnerabilities include bad privilege management, incorrect type conversion, stack overflow and other issues.
- April 13th – CISA releases 12 ICS advisories. This advisory includes a dozen different Siemens products with a laundry list of vulnerabilities including integer overflows, improper authentication and authentication bypass, weak cryptography and other issues.
- April 13th – This day was a doubleheader. This time 15 advisories. This includes Schneider, Advantect, Jtekt, Siemens Nucleus and other products. The bugs include hard coded encryption keys, out of bounds reads, bad random number generation and other bugs.
But this is just the last week or so. Here are some more this month:
That is just this month so far.
I also have at least 10 advisories from March.
What does that tell you?
Consider what these systems are used for. Some examples –
Electric power plants
Water treatment plants
and a lot more.
Consider the impact of one (or more) of these industries getting hacked.
We are already seeing customers asking more security questions and I predict customers will only get more concerned.
If you are a buyer of industrial control equipment, you should up your vendor due diligence, assuming you have not already done that.
If you are a vendor of industrial control systems, you should anticipate getting more questions from your prospects and existing customers, if that has not already started.
And, if you are a manufacturer, assume the bad news will continue. CISA seems to be receiving new vulnerabilities every day.
The challenge for buyers is how to we make these systems secure. Many are no longer supported and many more are so critical that you are scared to patch them. Not to mention the down time that patching probably entails.
Here is the bad news. Hackers do not care about your problem. If they can cause you pain, if they can cause you downtime, they can ransom you to make the pain go away. And that it what they want. MONEY!
So everyone in the food chain needs to understand that this is not the ICS world from just a few years ago and it will likely get worse before it gets better. Sorry to be the messenger.