2012 SCADA Security Predictions - How Did Eric Byres Do?
Early in 2012 Eric Byres wrote a blog article predicting what he thought would happen in 2012 with regards to SCADA and ICS security. I went back to his blog and highlighted the four main predictions he made. Then I asked him to rate himself on each one.
Prediction 1: No Big Messy Security Events
Laura: You predicted that “there will be no big messy security events in 2012 (No Stuxnet or Slammer)”. Do you feel your prediction was accurate?
Eric: “Unfortunately, I sure got this wrong! I didn’t expect that so many highly sophisticated advanced persistent threats like Flame, Gauss and Duqu would be found. And I certainly didn’t expect that some amateur hackers would develop Shamoon and wipe out 30,000+ computers at Saudi Aramco with it.”
Saudi Aramco’s headquarters complex. This is one of the sites where 30-55,000 workstation hard drives were wiped clean by the Shamoon virus.
“2012 turned out to be worse than I expected, especially if you were running a refinery in the Middle East. Now I worry that we just haven’t found out what is happening in Europe and the Americas. I can’t imagine worms only like computers, SCADA and ICS systems in the Middle East!”
Prediction 2: More than 500 SCADA and ICS Vulnerabilities Disclosed
Laura: You stated that “over 500 vulnerabilities in automation products will be disclosed by freelance ‘researchers’”. Was your predicted figure close to what was actually disclosed this year?
Eric: “Sean McBride, of Critical Intelligence, tells me there are 569 unique ICS specific vulnerabilities reported to ICS-CERT for 2012 as of November 20th. At that rate we’ll top 600 for 2012, which is a 65% increase over 2011. So, I was pretty accurate with this prediction.”
Update from Laura: Sean McBride informed us that Eric had counted wrong. When Eric said that there were 569 new SCADA/ICS vulnerabilities in 2012 this turned out to be the cumulative total since 2001. Only 248 new vulnerabilities were announced in 2012. So Eric's prediction that there would be 500 new vulnerabilities in 2012, was wrong.
Prediction 3: Half of all Disclosures would Include Attack Code
Laura: You estimated that “half of the disclosures will include sample attack code”. Was this true for 2012?
Eric: “I don’t have any stats on this. So I don’t know how I did. We will probably know at S4 in January. But I will guess that with people like Luigi Auriemma now selling exploits on the open market, I am accurate.”
Eric’s Score: Don’t Know Yet
Prediction 4: Industrial Malware will Continue to be Stealthy
Laura: Your final prediction was that “the trend of industrial malware to be stealthy will continue. (Like the 2011 trio Night Dragon, Duqu and Nitro it may remain undetected for long periods of time and may only come to light when it is too late to prevent significant business or process damage).” Do you think your forecast in this case was true for 2012?
Eric: “This is absolutely true, although as Shamoon showed us you don’t have to be stealthy to do a lot of damage – I didn’t expect that”.
Laura: Although we will have a better idea after S4 on your prediction about sample attack code, at this time you have a 50% success rate on predicting the future – not bad for a Controls Engineer.
Update from Laura: Looks like Eric only predicted 1 out of 3 correctly. Better luck in 2013!
Do you think Eric’s crystal ball was accurate with his predictions for 2012? Or should he keep his day job?
Stay tuned for Eric’s 2013 forecast!
Image credit: Wikipedia
Practical SCADA Security thanks Laura for this article.
Related Content to Download
Presentation - "Advanced Persistent Threat: A Real Problem, with Real Solutions"
Practical SCADA Security thanks Professor Dorey for making this presentation available to our readers.
- Blog: SCADA Security 2012 Crystal Ball
- Blog: Shamoon Malware and SCADA Security – What are the Impacts?
- Webpage: Stuxnet Central
- Blog: Securing SCADA systems from APTs like Flame and Stuxnet – Part 1
- Digital Bond, Website: S4 2013
- TechWorld, Website: ReVuln showcases vulnerabilities in SCADA software, but won't report them to vendors