Since the beginning of the year, a total of 77 Advisories regarding Vulnerabilities in SCADA systems have been released by the ICS-CERT. They cover a total of 133 vulnerabilities, of which 122 correspond to unique CVE's.
Most of the disclosed vulnerabilities correspond to commonly used SCADA software like Device Type Managers(DTMs), Human Machine Interfaces(HMIs), Web-based SCADA management solutions etc. However, some advisories also address non-SCADA-specific vulnerabilities like those found in the widely used NTP (Network Time Protocol) or GHOST in the context of their impact on SCADA-specific products.
I drew out some graphs based on statistics from the disclosed vulnerabilities, discussing
- how many of those vulnerabilities can actually be exploited remotely,
- whether there are known public exploits for them,
- and perhaps more interestingly, the types of vulnerabilities and systems that are affected by them.
Mostly, these statistics could help understand where the chinks in armour lie for SCADA systems and could serve as useful indicators for where to start looking while PenTesting your systems.
Some interesting conclusions (from most reassuring to least, based on a an improvised scoring system for measure of reassurance)
- Only a tenth of the vulnerabilities have publicly known exploits.
- The highest percentage of vulns reported corresponded to Unsecure credentials/data storage. This falls in the middle since basic flaws like this, however disappointing, are easier to fix.
- A surprisingly large number of vulnerabilities disclosed were attributed a CVE score of 10.
- More than half of the disclosed vulnerabilities can be remotely exploited.