Focus on the HMI: Trend Micro Report Reveals Extent of Preventable SCADA Bugs

by Simon Edwards

With all the hype surrounding WannaCry over the past week, it’s easy to forget that organisations are facing a far broader range of threats than ransomware. Targeted attacks on critical infrastructure, particularly SCADA systems, have been on the radar since Stuxnet, but as the attacks on the Ukrainian power grid have shown, they’re still a major cause for concern.

That’s why Trend Micro compiled its latest report, Hacker Machine Interface, focusing specifically on the Human Machine Interface (HMI) displays present in most SCADA set-ups. Unfortunately, we found that a lot more needs to be done to architect more secure systems and to ensure patches are produced and applied swiftly.

Preventable bugs
The HMI is the primary means by which an industrial system operator controls their SCADA system. As a result, it must be considered a major target for hackers – whether they’re looking to carry out recon work, steal data, or even sabotage equipment. In an ideal world the HMI would therefore be air-gapped or isolated on a trusted network. However, as is the case with so much in IT, things are rarely implemented as they should be.

So what are the major vulnerabilities affecting these systems? We studied all the publicly disclosed flaws in SCADA software since fixed, from 2015 and 2016, including 250 acquired through the TippingPoint ZDI program. On the plus side, most of the ones we found are preventable through more secure development practices. They include:

Memory corruption: representing 20% of the bugs studied, linked to stack- and heap-based buffer overflows and out-of-bounds read/write vulnerabilities.

Credential management (19%): these bugs include hard-coded passwords, storing passwords in a recoverable format (e.g. clear text), and insufficiently protecting credentials.

Authentication issues (12%): included insecure defaults, clear-text transmission of sensitive information, missing encryption, and unsafe ActiveX controls marked safe for scripting.

Code injection (9%): included common injection types – SQL, command, OS, code – and SCADA specific versions.

Room for improvement
There are several things highlighted in the report that need to improve. For one, the average time taken between bug disclosure and patch release is 150 days – about a month longer than it would take vendors of popular software like Microsoft and Adobe to release updates. Closing this window of exposure would help improve security across the board, as long as customers patch promptly.

The second major takeaway is for manufacturers of these HMI systems: most of the bugs we analysed were preventable. This means that by adopting the secure lifecycle practices many OS and app developers have gravitated towards in recent years, HMI developers can make their products significantly more resilient. Even something as basic as auditing for the use of banned APIs would go a long way to improving security.

When it comes to SCADA installations there’s always the risk that cyber attacks could have a real-world impact, even potentially causing loss of life. That’s why we must get better at locking down risk so that the Human Machine Interface doesn’t become the Hacker Machine Interface.

To find out more, arrange a meeting with us or just drop by our stand D25 at Infosecurity Europe, 6th-8th June, Olympia, London.



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.