Software security expert Mike Ahmadi first noticed the spike in industrial control systems cybersecurity vulnerabilities in the NIST CVE (cybersecurity vulnerabilities and exposures) database three years ago.
Software code bugs are responsible for these vulnerabilities, which expose systems to the potential for malicious attacks.
Ahmadi, who is Director of Critical Systems Security Software Integrity Group at Synopsys Inc., speculated that the increase might partly be the result of the enormous frenzy surrounding cybersecurity. Given the increase in people actively looking for vulnerabilities, it seemed only reasonable to assume that more bugs—many of which, in fact, may have always been in the code—would be discovered.
These bugs exist because the software industry has traditionally focused on fixing functional bugs—not security problems, which weren’t even on their radar pre-Internet of Things.
Alternatively, bugs can be introduced when a system is upgraded. In the case of one pre-2010 industrial control system, Ahmadi identified literally hundreds of bugs that resulted from an update to a new operating system, over 374 vulnerabilities were discovered in one Java runtime.
“As time went on and more systems were getting connected to the outside world, I started noticing the same hockey stick effect in the data for things like routers and medical devices,” explained Ahmadi. “In a way, it’s the moment of truth, as many of these systems were not designed with any security in mind and suddenly they are being thrown into an extraordinarily hostile environment.”
Vulnerabilities aren’t great. But malware attacks can be catastrophic. Wondering whether there might be a correlation between the spike in vulnerabilities and actual cyber attacks, Ahmadi reached out to Kaspersky Lab, which tracks malware incidents, to investigate.
The data proved remarkably similar. So much so, that as the Industrial Internet grows, Ahmadi likens the situation to an almost perfect storm. “Many of the legacy industrial control systems that were designed years ago are fairly simple—there was almost nothing to consider with regard to security because the system was closed off,” he said. “Now companies are realizing that they need to connect these things to the Internet. In fact, just take a look at the progression of the network. We are all becoming more and more reliant on being connected to the outside world, a device today that isn’t connected is considered to be almost useless.”
Making matters worse, aging systems tend to acquire problems over time. In the case of a router with the oldest component found in the software dating back to 2009, 48 new vulnerabilities were found 12 months before the product release, 289 vulnerabilities 12 months of operation, and the product was released with 400 critical vulnerabilities.
Worse, some companies may even unwittingly expose their systems to the outside world. “They may think they are only going to keep stuff on an internal network, but somewhere along the line it’s connected to a network that is talking to the outside world, and that network may be compromised.
While it may sound like all gloom and doom, Ahmadi is optimistic that industry can and will get on top of cybersecurity—so long as the approach shifts from being purely reactive to getting ahead of the security issues.
He is a strong advocate of the proposed Supply Chain Cybersecurity Act, which would require software companies to share their bill of materials of each binary component used in the software, firmware or product, demonstrate that those component versions have no known vulnerabilities, and provide secure update mechanisms.
For end users, he recommends a set of minimum required practices:
- Check for security patches and apply within 30 days
- Replace factory default settings
- Re‐assess risk yearly and apply changes
- Require 3rd parties to protect information with safeguards at least as good as your own and audit them to ensure they continuously satisfy standards
Further, Synopsys is collaborating with UL LLC on a new Cybersecurity Assurance Program to develop and perform security testing on network connected devices, beginning with industrial automation equipment and services and medical devices.