Aging control systems, increasing levels of connectivity, and software updates are the culprits behind a spike in cybersecurity vulnerabilities and a corresponding number of malware attacks. Can industry change before it's too late?

Karen Field

June 22, 2016

3 Min Read
Now and later words with red marker
Choosing Now instead of Later with red marker.ChristianChan, Thinkstock

Software security expert Mike Ahmadi first noticed the spike in industrial control systems cybersecurity vulnerabilities in the NIST CVE (cybersecurity vulnerabilities and exposures) database three years ago.

Software code bugs are responsible for these vulnerabilities, which expose systems to the potential for malicious attacks.

Ahmadi, who is Director of Critical Systems Security Software Integrity Group at Synopsys Inc., speculated that the increase might partly be the result of the enormous frenzy surrounding cybersecurity. Given the increase in people actively looking for vulnerabilities, it seemed only reasonable to assume that more bugs—many of which, in fact, may have always been in the code—would be discovered.

These bugs exist because the software industry has traditionally focused on fixing functional bugs—not security problems, which weren’t even on their radar pre-Internet of Things.

Alternatively, bugs can be introduced when a system is upgraded. In the case of one pre-2010 industrial control system, Ahmadi identified literally hundreds of bugs that resulted from an update to a new operating system, over 374 vulnerabilities were discovered in one Java runtime.

“As time went on and more systems were getting connected to the outside world, I started noticing the same hockey stick effect in the data for things like routers and medical devices,” explained Ahmadi. “In a way, it’s the moment of truth, as many of these systems were not designed with any security in mind and suddenly they are being thrown into an extraordinarily hostile environment.”

Vulnerabilities aren’t great. But malware attacks can be catastrophic. Wondering whether there might be a correlation between the spike in vulnerabilities and actual cyber attacks, Ahmadi reached out to Kaspersky Lab, which tracks malware incidents, to investigate.

The data proved remarkably similar. So much so, that as the Industrial Internet grows, Ahmadi likens the situation to an almost perfect storm. “Many of the legacy industrial control systems that were designed years ago are fairly simple—there was almost nothing to consider with regard to security because the system was closed off,” he said. “Now companies are realizing that they need to connect these things to the Internet. In fact, just take a look at the progression of the network. We are all becoming more and more reliant on being connected to the outside world, a device today that isn’t connected is considered to be almost useless.”

Making matters worse, aging systems tend to acquire problems over time. In the case of a router with the oldest component found in the software dating back to 2009, 48 new vulnerabilities were found 12 months before the product release, 289 vulnerabilities 12 months of operation, and the product was released with 400 critical vulnerabilities.

Worse, some companies may even unwittingly expose their systems to the outside world. “They may think they are only going to keep stuff on an internal network, but somewhere along the line it’s connected to a network that is talking to the outside world, and that network may be compromised.

While it may sound like all gloom and doom, Ahmadi is optimistic that industry can and will get on top of cybersecurity—so long as the approach shifts from being purely reactive to getting ahead of the security issues.

He is a strong advocate of the proposed Supply Chain Cybersecurity Act, which would require software companies to share their bill of materials of each binary component used in the software, firmware or product, demonstrate that those component versions have no known vulnerabilities, and provide secure update mechanisms.

For end users, he recommends a set of minimum required practices:

  • Check for security patches and apply within 30 days

  • Replace factory default settings

  • Re?assess risk yearly and apply changes

  • Require 3rd parties to protect information with safeguards at least as good as your own and audit them to ensure they continuously satisfy standards

Further, Synopsys is collaborating with UL LLC on a new Cybersecurity Assurance Program to develop and perform security testing on network connected devices, beginning with industrial automation equipment and services and medical devices.  

About the Author(s)

Karen Field

Karen Field is Executive Director, Content for Penton’s new Internet of Things Initiative and IoT Emerge event. She has 25+ years experience developing content for an audience of technical and business professionals and a reputation for challenging conventional thinking and taking a novel approach in the creation of world class editorial and conference programming.

Most recently she launched the Internet of Things Summit at the Embedded Systems Conference and has covered the emerging issues associated with the Internet of Things extensively for EE Times, EDN, and Embedded.com.

Karen has a mechanical engineering degree and a master’s of business degree from the University of Minnesota and Boston University.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like