‘Improper Input Validation’ Top ICS Weakness

Friday, May 27, 2011 @ 03:05 PM gHale

The highest percentage of vulnerabilities identified in industrial control system (ICS) product assessments continues to be improper input validation by ICS code, according to a new report just released by the U.S. Department of Homeland Security’s Control Systems Security Program (CSSP).

DHS’ CSSP performs cyber security vendor assessments, ICS-CERT operations, and asset owner cyber security evaluations with the Cyber Security Evaluation Tool (CSET) evaluations for industrial control systems (ICS) to reduce risk and improve the security of industrial control systems.

In 2009, a report titled “Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments” compiled common vulnerabilities identified during 15 security assessments of new ICS products and production ICS installations from 2004 through 2008. Three additional ICS product assessments took place in 2009 and 2010. This newer, 2010 version is an update to the 2009 version.

Poor access controls — credentials management and security configuration — were the second most common security weakness identified in new ICS software in 2009–2010. Authentication weaknesses follow in third place.

ICS-CERT alerts match 2009–2010 CSSP assessment findings, with most of the published ICS vulnerabilities due to improper input validation, but have a much higher percentage of password weaknesses.

Production system assessments used the CSET policy-based self-assessment tool in 2009–2010. Summary reports indicate the lack of formal documentation is the most common gap identified. ICS-CERT incident response participants have observed an overall lack of defense-in-depth at ICS installations. Prior CSSP site assessments found the most common configuration problem was credentials management (i.e., weak passwords and insufficiently protected credentials), followed by weak or non-existent firewall rules and network design weaknesses.

Defense-in-depth security strategies that help protect the ICS from attack is part of an effective, proactive security program. Such a program is a necessity because attack strategies are constantly evolving to compensate for increasing defense mechanisms.

To encourage a proactive program, vendors should offer or support security products and features that work in layers of defense to help protect ICS installations, according to the report. Owners should add the additional network perimeter layers of defense and actively update and monitor the system. Increasing the hurdles required to attack a system decreases the chance attackers will be able to subvert all hurdles and increases the chance attackers will give up before accomplishing their goals. Designing security into the system and using secure coding and best practices regarding security can also minimize damage from attacks by insiders, social engineers, or anyone else with access behind the ICS network perimeter.

ICS product vendors are responsible to deliver systems that are able to survive attack without compromising critical functionality, according to the report. ICS owners must ensure the physical systems they operate do not put lives, the economy, or the environment at risk by the owners’ failing to perform due diligence in procuring, configuring, securing, and protecting the ICS for critical infrastructure.

From an ICS-CERT perspective, the highest percentage of ICS vulnerabilities are buffer overflow vulnerabilities. Credentials management and authentication weaknesses make up the bulk of the remaining published ICS vulnerabilities.

A major difference in securing ICS and a typical computer system is in the ICS components that do not use standard information technology (IT) hardware or software. Custom ICS hardware and software have not gone under the microscope like common computer products, and refresh rates are typically much lower.

Another difference is the prioritization of security objectives. While adding security measures to ICS components, it is important to keep in mind functional requirements. Unlike typical IT systems, ICS security objectives are typically prioritized as:
1. Availability
2. Integrity
3. Confidentiality

Violating operational requirements while implementing security features in ICS could cause more damage than a cyber attack.

CSSP ICS security assessments have identified the vulnerabilities described in this section in a majority of the systems. In addition to these common vulnerabilities, researchers were able to identify additional vulnerabilities unique to the individual ICS software and implementations.

A user can mitigate all these vulnerabilities by following secure software design and development principles, and secure platform, software, and network configuration guidelines. References to additional information are included with the common vulnerability descriptions and recommendations. Common weakness areas identified by CSET assessments include a requirements section that contains the standards and guidelines used to identify these security gaps.

For more information on the report, please click here.

Leave a Reply

You must be logged in to post a comment.