Last week I had a conversation in which I was asked why I believe that the number of vulnerabilities being found in SCADA and ICS products is dramatically increasing. The conversation was a healthy one, but I wasn’t able to convince the other participant through anecdotes that they are on the rise.
As we continued to talk, I did a VERY basic search of a few vulnerability databases to see what data they had which could inform the conversation in real time. As I didn’t take the time to search for individual products or product classes, I wasn’t able to present the whole picture while we were talking, but I thought the results of the search were interesting.
The chart below is based on that search and depicts the number of advisories in a variety of public vulnerability databases that simply contain the word “SCADA” as of September 12, 2011. The chart shows the non-cumulative number of advisories published per year for each of the three databases I looked at during my conversation, for a total of 186.
Take it for what it’s worth but I think that this kind of data, as non-scientific as it is, helps paint the picture for whats going on out there in the public disclosure space. There is, of course, an unknown number of vulnerabilities that have not been publicly disclosed as well as much deeper analysis that can be done on what is publicly disclosed.
Instead of using generic terms to answer a generic question like I did, asset owners can use specific searches for products they have deployed and get a baseline for what vulnerabilities are definitely publicly known in the components that make up their control system infrastructure.