Aging control systems, increasing levels of connectivity, and software updates are the culprits behind a spike in cybersecurity vulnerabilities and a corresponding number of malware attacks. Can industry change before it's too late?
Software security expert Mike Ahmadi first noticed the spike in industrial control systems cybersecurity vulnerabilities in the NIST CVE (cybersecurity vulnerabilities and exposures) database three years ago.
Software code bugs are responsible for these vulnerabilities, which expose systems to the potential for malicious attacks.
Ahmadi, who is Director of Critical Systems Security Software Integrity Group at Synopsys Inc., speculated that the increase might partly be the result of the enormous frenzy surroundingcybersecurity. Given the increase in people actively looking for vulnerabilities, it seemed only reasonable to assume that more bugsmany of which, in fact, may have always been in the codewould be discovered.
These bugs exist because the software industry has traditionally focused on fixing functional bugsnot security problems, which werent even on their radar pre-Internet of Things.
Alternatively, bugs can be introduced when a system is upgraded. In the case of one pre-2010 industrial control system, Ahmadi identified literally hundreds of bugs that resulted from an updateto a new operating system, over 374 vulnerabilities were discovered in one Java runtime.
As time went on and more systems were getting connected to the outside world, I started noticing the same hockey stick effect in the data for things like routers and medical devices, explained Ahmadi. In a way, its the moment of truth, as many of these systems were not designed with any security in mind and suddenly they are being thrown into an extraordinarily hostile environment.
Vulnerabilities arent great. But malware attacks can be catastrophic. Wondering whether there might be a correlation between the spike in vulnerabilities and actual cyber attacks, Ahmadi reached out to Kaspersky Lab, which tracks malware incidents, to investigate.
The data proved remarkably similar. So much so, that as the Industrial Internet grows, Ahmadi likens the situation to an almost perfect storm. Many of the legacy industrial control systems that were designed years ago are fairly simplethere was almost nothing to consider with regard to security because the system was closed off, he said. Now companies are realizing that they need to connect these things to the Internet. In fact, just take a look at the progression of the network. We are all becoming more and more reliant on being connected to the outside world, a device today that isnt connected is considered to be almost useless.
Making matters worse, aging systems tend to acquire problems over time. In the case of a router with the oldest component found in the software dating back to 2009, 48 new vulnerabilities were found 12 months before the product release, 289 vulnerabilities 12 months of operation, and the product was released with 400 critical vulnerabilities.
Worse, some companies may even unwittingly expose their systems to the outside world. They may think they are only going to keep stuff on an internal network, but somewhere along the line its connected to a network that is talking to the outside world, and that network may be compromised.
While it may sound like all gloom and doom, Ahmadi is optimistic that industry can and will get on top of cybersecurityso long as the approach shiftsfrom being purely reactive to getting ahead of the security issues.
He is a strong advocate of the proposed Supply Chain Cybersecurity Act, which would require software companies to share their bill of materials of each binary component used in the software, firmware or product, demonstrate that those component versions have no known vulnerabilities, and provide secure update mechanisms.
For end users, he recommends a set of minimum required practices:
- Check for security patches and apply within 30 days
- Replace factory default settings
- Reassess risk yearly and apply changes
- Require 3rd parties to protect information with safeguards at least as good as your own and audit them to ensure they continuously satisfy standards
Further, Synopsys is collaborating with UL LLC on a new Cybersecurity Assurance Program to develop and perform security testing on network connected devices, beginning with industrial automation equipment and services and medical devices.