DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • Calendar View
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • CI/CD
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Sustainability
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • How to Build Successful DevOps Teams
  • Five Great DevOps Job Opportunities
  • Serial Entrepreneur
  • Chronosphere Adds Professional Services to Jumpstart Observability
  • Friend or Foe? ChatGPT's Impact on Open Source Software

Home » Blogs » Synopsys: IoT, ICS More Vulnerable to Security Exploits

Synopsys: IoT, ICS More Vulnerable to Security Exploits

Avatar photoBy: Scot Finnie on August 21, 2017 1 Comment

A new report shows that internet of things (IoT) implementations and industrial control systems (ICS) are more vulnerable than most to potential zero-day exploits of the open-source protocols, common file formats and APIs they rely on. The report, prepared by vulnerability test firm, Synopsys Inc., is based on 4.8 billion fuzz tests conducted on the company’s customers throughout 2016. The report focuses on six key vertical areas: automotive, financial services, government, health care, ICS and IoT.

Recent Posts By Scot Finnie
  • The Top 5 Ways DevOps Fails – and How to Prevent Them
  • Study Reveals Pain Points for Enterprise Workers
  • NASA/JPL Tech-Incubation CEO Talks Artificial Intelligence, Part II
Avatar photo More from Scot Finnie
Related Posts
  • Synopsys: IoT, ICS More Vulnerable to Security Exploits
  • Synopsys Advances DevSecOps via IDE Plugin
  • Mocana Introduces IoT Security Developer Kit for the Raspberry Pi to Ease Integration with Secure Cryptoprocessors
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • ICS
  • industrial control systems
  • Internet of Things
  • IoT
  • security
  • security exploits
  • security vulnerabilities
  • Synopsys
Show more
Show less

To rank the vulnerability of different protocols, Synopsys measured the time it takes between the start of fuzz testing and when a protocol crash is recorded along with how many crashes occurred over longer periods of time. Newer, less mature or proprietary protocols proved to be the most vulnerable. In some cases, time to failure was measured in minutes or even seconds. Fuzz testing is a method of testing code for flaws and security vulnerabilities that involves throwing large amounts of malformed, random data at the system being tested.

Cloud Native NowSponsorships Available

Industrial control systems are the most vulnerable of the six areas covered by the report. To a great degree that’s driven by the fact that ICS uses a lot of proprietary or ICS-specific protocols, some of which may not have been tested thoroughly enough. Three of the most vulnerable protocols are IEC-61850 MMS, IEC-104 SERVER and MODBUS PLC. The ICS protocol IEC-61850 MMS failed in just 6.6 seconds.

IoT is the next most vulnerable system. It mixes older, better-tested core IP protocols with newer niche categories such as wireless and ICS. The three most vulnerable protocols for IoT are CoAP Server (failed in 8.5 seconds), CIP and OPC UA.

It’s important for enterprises to prioritize security in their zeal to build IoT solutions. In some cases, Synopsys revealed that security vulnerabilities stemmed from an incomplete or improper implementation of protocols or unpatched code.

“The applicability of IoT across all vertical markets and within enterprises of all shapes and sizes has brought us to an important inflection point,” said Brad Shimmin, service director for IT Technology and Software at GlobalData. “Thanks to ubiquitous and readily accessible APIs, development frameworks and even pre-built but extensible apps, virtually anyone can stand up an IoT deployment with very little experience in the way of application development practices. This will undoubtedly reveal the many dangers inherent in building highly distributed systems—dangers affecting both data and logic.”

Some interesting data from the report: The overall average time to first failure of a protocol was 1.4 hours. When the time to first failure is measured in seconds instead of hours, it indicates a higher potential for criminal exploitation. The most vulnerable protocol tested was the previously mentioned IEC-61850 MMS; the least exploitable was the TLS client, which had an average time to first failure of 9 hours.

Of the vertical areas the report classifies, the two least risky sets of protocols are the ones used by government and financial services. Synopsys attributes this to the more mature aspects of the categories of protocols used by these industries. They had fewer overall failures and longer test times to their first failure. It would take black hats a lot longer to fuzz them into vulnerability.

— Scot Finnie

Filed Under: Blogs, DevSecOps Tagged With: ICS, industrial control systems, Internet of Things, IoT, security, security exploits, security vulnerabilities, Synopsys

« Meeting Market Demand
DevOps Chat: Chef Update with Ken Cheney, Chef CMO »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Securing Your Software Supply Chain with JFrog and AWS
Tuesday, June 6, 2023 - 1:00 pm EDT
Maximize IT Operations Observability with IBM i Within Splunk
Wednesday, June 7, 2023 - 1:00 pm EDT
Secure Your Container Workloads in Build-Time with Snyk and AWS
Wednesday, June 7, 2023 - 3:00 pm EDT

GET THE TOP STORIES OF THE WEEK

Sponsored Content

PlatformCon 2023: This Year’s Hottest Platform Engineering Event

May 30, 2023 | Karolina Junčytė

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Latest from DevOps.com

How to Build Successful DevOps Teams
June 5, 2023 | Mariusz Tomczyk
Five Great DevOps Job Opportunities
June 5, 2023 | Mike Vizard
Chronosphere Adds Professional Services to Jumpstart Observability
June 2, 2023 | Mike Vizard
Friend or Foe? ChatGPT’s Impact on Open Source Software
June 2, 2023 | Javier Perez
VMware Streamlines IT Management via Cloud Foundation Update
June 2, 2023 | Mike Vizard

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

Most Read on DevOps.com

No, Dev Jobs Aren’t Dead: AI Means ‘Everyone’s a Programmer’? ¦ Interesting Intel VPUs
June 1, 2023 | Richi Jennings
What Is a Cloud Operations Engineer?
May 30, 2023 | Gilad David Maayan
Forget Change, Embrace Stability
May 31, 2023 | Don Macvittie
Five Great DevOps Job Opportunities
May 30, 2023 | Mike Vizard
Revolutionizing the Nine Pillars of DevOps With AI-Engineered Tools
June 2, 2023 | Marc Hornbeek
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.