ICS Vulnerabilities happen… what lessons can we learn?Dr Richard J. Thomas (r.j.thomas@bham.ac.uk)University of Birmingham

The Challenge:

Provide guidance to the supply chain to get things right. What do you target? How confident are you in your reasoning?

How can you assure this has been done correctly?Automated Tools?Manual Firmware Analysis?Fuzzing?

Disparate Data Sources – what is available?

ICS-CERT AdvisoriesICS vulnerabilities from 2011Provide some common insight in vulnerabilities

CVE ListsThe what for a vulnerability and its severity (CVSS)Different sources – NVD and MITRE for the same CVE

CVEDetails.com (other sites available)Vulnerabilities for a specific vendor/product

Key information in different locations

Interlude…accuracy of Vulnerability Reports

32% of ICS CVEs had an incorrect CVSS vector and CVSS score

18% of vendor reports had errors in the CVSS score 24% error for reports where a researcher engaged

with the vendor (not CERT)

How do we ensure our analyses are accurate?

Processing data to obtain meaningful analyses

US-CERT ICS Advisory List (NOT ICSA)*

MITRE CWE/CVE XML Export

NVD CVE JSON Export

XML ParserExtracts details of

CWE

Manual Review

HTML2TextPandoc (MD)

Extract CVE, CWE References and

context

ICSA, Vendor, Product Extraction

Parse CVE

Azure SQL Server

Tableau Data Analysis

Manual Review

Another challenge: preventing bias

Dataset only covers ICS-CERT, MITRE and NVD Many vendors publish their own security advisories

Some public, some closed to own customers/integrators

Varying levels of detail and formats

Consistency is at risk, with opportunity to introduce bias

We have vulnerabilities – what categories do they fall under? Most CVEs have an assigned CWE CWEs define the root cause

e.g. CWE-20: Improper Input Validation, CWE-200: Information Exposure

Not all CWEs are born equalSome retired and replaced with more granular ones

No single categorisation scheme fits all – SFP Secondaries give us the best opportunity

Key Statistics

1158 ICS Advisories Processed 2363 CVE References Extracted

362 ‘Critical’, 1157 ‘High’

2049 CWE Attributions 7.4 Average CVSS Score 925 CVEs in the CWE Top 25 Most Dangerous Software Errors

(2019) 40 with PoCs, 33 not responsibly disclosed, 37 OpenSSL-related

Classifying Vulnerabilities

92

150

8514

141

11

89400

OWASP Top 10

Injection

Broken Auth

Data Exposure

XXE

Broken Access Control

Security Misconfig

XSS

Insecure Deserialisation

Using Components with KnownVulnerabilitiesInsufficient Logging and Monitoring

171

89

84

746058

52

51

45

43

3329

2120191713121265542

CWE Top 25 (2019)

CWE-20 CWE-79 CWE-287

CWE-119 CWE-22 CWE-400

CWE-89 CWE-352 CWE-798

CWE-200 CWE-125 CWE-269

CWE-94 CWE-434 CWE-78

CWE-787 CWE-611 CWE-476

CWE-416 CWE-190 CWE-295

CWE-732 CWE-502 CWE-426

925586

Clustering Threats over the Years

2018

2017

2019

2014 2013

2015

2012

2016

Taking inspiration from Infographics

Current Vulnerability Trends

A TfL-styleMap of ICS Vulnerabilities

Insecure Resource Access (17)

Insecure Resource Permissions (15)

Authentication Bypass (102)

Access Management (60)

Digital Certificate (1)

Faulty Endpoint Authentication (9)

Hardcoded Sensitive Data (44)

Insecure Authentication Policy(12)

Missing Authentication (29)

Missing Endpoint Authentication (5)

Unrestricted Authentication(11)

Channel Attack (22)

Protocol Error (1)

Broken Cryptography (2)

Weak Cryptography (21)

Unchecked Status Condition(14)

Incorrect Exception Behaviour(4)

Exposed Data (210) Other Exposures (2) State Disclosure (2)

Faulty Memory Release (6)

Faulty Buffer Access (336)

Faulty Pointer Use (12)Incorrect Buffer LengthComputation (1)

Implementation (5)

Architecture(23)

Design (6)

Path Traversal (97)

Failure to release resource (12)

Faulty Resource Use (12)

Life Cycle (1)

Unrestricted Consumption (58)

Race Condition Window(3)

Unrestricted Lock(1)

Tainted Input to Command(227)

Tainted Input to Environment(67)

Faulty Import Transformation (1)

Incorrect Input Handling (3)

Tainted Input to Variable (175)

UI Security (2)

Glitch in Computation (8)

Use of Improper API (2)

Unexpected EntryPoints (2)

Access Control92

Authentication213

Channel Weaknesses

23

Cryptography23

Exception Management

18

Information Leakage214

Memory Management and

Access355

Other34

Path Resolution97

Resource Management

83

Synchronisation4

Tainted Input473

UI2

Risky Values8 1643

API2

Entry Points2

What is Zone 1?

Are these ‘termini’ suitable?

80% coverage –where are the other 450 CVEs?

A TfL-styleMap of ICS Vulnerabilities

Insecure Resource Access (26)

Insecure Resource Permissions (15)

Authentication Bypass (124)

Access Management (60)

Digital Certificate (6)

Faulty Endpoint Authentication (9)

Hardcoded Credentials (50)

Insecure Authentication Policy(13)

Missing Authentication (32)

Unrestricted Authentication(13)

Channel Attack (36)

Protocol Error (1)

Broken Cryptography (2)

Weak Cryptography (21)

Unchecked Status Condition(14)

Incorrect Exception Behaviour(7)

Exposed Data (212)Predictable Value Rangefrom Previous Values (6) State Disclosure (4)

Faulty Memory Release (6)

Faulty Buffer Access (338)

Faulty Pointer Use (16)

Incorrect Buffer LengthComputation (1)

Implementation (9)

Architecture(23)

Design (6)

Path Traversal (97)

Failure to release resource (12)

Faulty Resource Use (12)

Life Cycle (1)

Unrestricted Consumption (58)

Race Condition Window(3)

Unrestricted Lock(1)

Tainted Input to Command(227)

Tainted Input to Environment (67)

Faulty Import Transformation (1)

Incorrect Input/Output Handling (12)

Tainted Input to Variable (175)

UI Security (2)

Glitch in Computation (8)

Use of Improper API (2)

Unexpected EntryPoints (2)

Access Control165

Authentication307

Channel Weaknesses

92

Cryptography54

Exception Management

23

Information Leakage231

Memory Management and

Access393

Other42

Path Resolution97

Resource Management

100

Synchronisation4

Tainted Input509

UI2

Risky Values26 2049

API2

Entry Points2

Missing Endpoint Authentication (5)

CSRF (51)

Hardcoded Sensitive Data (44)

Improper Privilege Management(31)

Permissions, Privileges andAccess Controls (33)

Unrestricted Upload of File withDangerous Type (20)

Out of Bounds Write (17)

Insecure Storage ofSensitive Information (4)

Cryptographic Issues(13)

Resource Management Issues (12)

Untrusted PointerDereference (10)

Insufficient Entropy (10)

Use of Insufficiently RandomValues (8)

Use of Password Hash withInsufficient ComputationalEffort (7)

Key ManagementErrors (7)

Session Fixation (6)

Other Exposures (5)

PHP Remote File Inclusion (4) Hidden Functionality (4)

Integer Overflow toBuffer Overflow (3)

OWASP A9: Denial of Service (3)

Execution with UnnecessaryPrivileges (3)

Use of Weak PRNG (4)

Error Conditions, Return Values and Status Codes (2)

Untrusted Search Path (2)

Access of Memory LocationAfter End of Buffer (2)

Use of Password Hash instead of Password (2)

SSRF (2)

Improper Restriction of Power Consumption (2)

Improper Restriction of Channel to Intended Endpoints (2)

XML Entity Expansion (1)

1 100% coverage

How severe is a vulnerability?

What is the environmental impact?

We know what might be on the horizon…How do we detect/test for these issues? Use of Automated Tooling

Combination of Commercial/Open Source Tooling

Fuzzing of Inputs App Analysis Firmware Analysis

Next steps…

Defining a framework to compare tooling

Adding new dimensions for analysis – severity, theme and additional context (e.g. patched)

Publishing first set of guidance for feedback

ICS Vulnerabilities happen… what lessons can we learn?Dr Richard J. Thomas (r.j.thomas@bham.ac.uk)University of Birmingham