Industral Control System Top 10 Vulnerabilities

Industral Control System Top 10 Vulnerabilities

  • ics security vulnerabilities

The 10 Common Vulnerabilities of the Control Systems – NERC CSSWG

NERC Cyber Infrastructure Protection (CIP), 10 CFR73/54/NEI 08-08, and International Instrument Users’ Association Working –Party on Instrument Behaviour (WIB) Compliance.

U.S. National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23) defines cyberspace as “the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people.”

“The security of SCADA systems used in critical energy infrastructure installations throughout the United States relies on a cooperative effort between SCADA product vendors and the owners of critical infrastructure assets. These recommendations
can be used by SCADA vendors to deliver and support systems that are able to survive attack without compromising critical functionality, by SCADA integrators to configure their systems securely before they are put into production, and by SCADA owners to perform due diligence in procuring, configuring, securing, and protecting these energy delivery control systems.” Idaho National Laboratory, September 2011,


Industrial Control System Top 10 Vulnerabilities Summary

Vulnerability 1: Inadequate policies and procedures governing control system security
Vulnerability 2: Rely on “security through obscurity”
Vulnerability 3: Untimely implementation of software and firmware patches. Inadequate testing of patches prior to implementation
Vulnerability 4: Use of inappropriate wireless communication. Lack of authentication in the 802.11 series of wireless communication protocols. Use of unsecured wireless communication for control system networks.
Vulnerability 5: Use of nondeterministic communication for command and control such as Internet-based SCADA. Inadequate authentication of control system communication protocol traffic.
Vulnerability 6: Poor password standards and maintenance practices. Limited use of virtual private network (VPN) configurations in control system networks.
Vulnerability 7: Lack of quick and easy tools to detect and report on anomalous or inappropriate activity among the volumes of appropriate control system traffic.
Vulnerability 8: Dual use of critical control system low bandwidth network paths for noncritical traffic or unauthorized traffic.
Vulnerability 9: Lack of appropriate boundary checks in control systems that could lead to “buffer overflow” failures in the control system software itself.
Vulnerability 10: Lack of appropriate change management/change control on control system software and patches.


Leave Reply

Your email address will not be published. Required fields are marked *