A new report shows that internet of things (IoT) implementations and industrial control systems (ICS) are more vulnerable than most to potential zero-day exploits of the open-source protocols, common file formats and APIs they rely on. The report, prepared by vulnerability test firm, Synopsys Inc., is based on 4.8 billion fuzz tests conducted on the company’s customers throughout 2016. The report focuses on six key vertical areas: automotive, financial services, government, health care, ICS and IoT.
To rank the vulnerability of different protocols, Synopsys measured the time it takes between the start of fuzz testing and when a protocol crash is recorded along with how many crashes occurred over longer periods of time. Newer, less mature or proprietary protocols proved to be the most vulnerable. In some cases, time to failure was measured in minutes or even seconds. Fuzz testing is a method of testing code for flaws and security vulnerabilities that involves throwing large amounts of malformed, random data at the system being tested.
Industrial control systems are the most vulnerable of the six areas covered by the report. To a great degree that’s driven by the fact that ICS uses a lot of proprietary or ICS-specific protocols, some of which may not have been tested thoroughly enough. Three of the most vulnerable protocols are IEC-61850 MMS, IEC-104 SERVER and MODBUS PLC. The ICS protocol IEC-61850 MMS failed in just 6.6 seconds.
IoT is the next most vulnerable system. It mixes older, better-tested core IP protocols with newer niche categories such as wireless and ICS. The three most vulnerable protocols for IoT are CoAP Server (failed in 8.5 seconds), CIP and OPC UA.
It’s important for enterprises to prioritize security in their zeal to build IoT solutions. In some cases, Synopsys revealed that security vulnerabilities stemmed from an incomplete or improper implementation of protocols or unpatched code.
“The applicability of IoT across all vertical markets and within enterprises of all shapes and sizes has brought us to an important inflection point,” said Brad Shimmin, service director for IT Technology and Software at GlobalData. “Thanks to ubiquitous and readily accessible APIs, development frameworks and even pre-built but extensible apps, virtually anyone can stand up an IoT deployment with very little experience in the way of application development practices. This will undoubtedly reveal the many dangers inherent in building highly distributed systems—dangers affecting both data and logic.”
Some interesting data from the report: The overall average time to first failure of a protocol was 1.4 hours. When the time to first failure is measured in seconds instead of hours, it indicates a higher potential for criminal exploitation. The most vulnerable protocol tested was the previously mentioned IEC-61850 MMS; the least exploitable was the TLS client, which had an average time to first failure of 9 hours.
Of the vertical areas the report classifies, the two least risky sets of protocols are the ones used by government and financial services. Synopsys attributes this to the more mature aspects of the categories of protocols used by these industries. They had fewer overall failures and longer test times to their first failure. It would take black hats a lot longer to fuzz them into vulnerability.
— Scot Finnie
