Vulnerability Trends | Total Number of Vulnerabilities | Zero-Day Vulnerabilities | Notable Zero-day Attacks | Web Browser Vulnerabilities | Web Browser Plug-in Vulnerabilities | Web Attack Toolkits | SCADA Vulnerabilities
BackgroundThis metric will examine the SCADA (Supervisory Control and Data Acquisition) security threat landscape. SCADA represents a wide range of protocols and technologies for monitoring and managing equipment and machinery in various sectors of critical infrastructure and industry. This includes—but is not limited to—power generation, manufacturing, oil and gas, water treatment, and waste management. Therefore, the security of SCADA technologies and protocols is a concern related to national security because the disruption of related services can result in the failure of infrastructure and potential loss of life—among other consequences.
MethodologyThis discussion is based on data surrounding publicly known vulnerabilities affecting SCADA technologies. The purpose of the metric is to provide insight into the state of security research in relation to SCADA systems. To a lesser degree, this may provide insight into the overall state of SCADA security. Vulnerabilities affecting SCADA systems may present a threat to critical infrastructure that relies on these systems. Due to the potential for disruption of critical services, these vulnerabilities may be associated with politically motivated or state-sponsored attacks. This is a concern for governments and/or enterprises that are involved in the critical infrastructure sector. While this metric provides insight into public SCADA vulnerability disclosures, due to the sensitive nature of vulnerabilities affecting critical infrastructure there is likely private security research conducted by SCADA technology and security vendors. Symantec does not have insight into any private research because the results of such research are not publicly disclosed.
DataThe number of SCADA vulnerabilities rose dramatically in 2011: In 2011, there were 129 public SCADA vulnerabilities, a massive increase over the 15 vulnerabilities in 2010.
CommentaryThe security of SCADA systems has always been an area of concern, but prior to 2010 it was on a more theoretical level. Since the emergence of W32.Stuxnet in 2010 there has been an increased focus on the security of SCADA systems. The security of these systems also gained attention in November 2011 when reports emerged of 2 separate alleged breaches. On November 10, 2011 the Illinois Statewide Terrorism & Intelligence Center (STIC) issued a report stating that the SCADA system at an Illinois water systems had been breached and that resulting action has caused a water pump to burn out. ICS-CERT later issued a report stating that there was no evidence to support these claims16 . On November 18th a hacker who goes by the name pr0f posted a statement to pastebin17 in which he claimed to have accessed the SCADA system used to manage water and sewage systems in South Houston, Texas.
The large increase in SCADA vulnerabilities in 2011 can for the most part be attributed to one security researcher, Luigi Auriemma18, who discovered 93 out of the 129 vulnerabilities published.