I designed a simple test to check the security posture from 13 big ICS vendors on communication security protection to their support web sites. (There is where the firmware upgrades used to be nowadays).
Mayor ICS Vendors I tested were:
- Siemens
- Schneider Electric
- Honeywell
- Rockwell Automation
- Yokogawa
- Moxa
- OSIsoft
- Phoenix Contact
- Advantech
- SEL
- ABB
- CODESYS
- MatrikonOPC
To make this checks, I used a simple but powerful tool called testssl.sh (that BTW, I recommend to you). This tool is able of testing, between other things, the following SSL vulnerabilities:
- Heartbleed (CVE-2014-0160)
- CCS (CVE-2014-0224)
- Secure Renegotiation (CVE-2009-3555)
- Secure Client-Initiated Renegotiation
- CRIME, TLS (CVE-2012-4929)
- BREACH (CVE-2013-3587)
- POODLE, SSL (CVE-2014-3566)
- TLS_FALLBACK_SCSV (RFC 7507),
- FREAK (CVE-2015-0204)
- DROWN (2016-0800, CVE-2016-0703)
- LOGJAM (CVE-2015-4000)
- BEAST (CVE-2011-3389)
- RC4 (CVE-2013-2566, CVE-2015-2808)
When using the tool against and SSL protected website, you can get "Vulnerable", "Probably" or "Not Vulnerable" results, that I associate with 2,1 and 0 values. That way, the most vulnerabilities the tool found for each SSL support web page, the higher risk I associate with the vendor.
These are the results for vulnerabilities:
Second finding is that big ICS vendors were very similar in vulnerabilities, apart from ABB that scores much better with only one probably fixed vulnerability. Honeywell, on the other hand, shows the most potential problems to fix.
With these values on mind, I established another criteria to build a Heat Map (I love Heat Maps).
Seems logical thinking that this kind of risk is directly proportional with the use of the support site, so I searched for the Alexa Rank of those ICS support pages, and these are the values I found that day:
The lowest rank, the most accesses ...
Normalizing values from 1 to 5, I got the following Heat Map :
Keep tune till the next revision.
