2012 SCADA Security Predictions - How Did Eric Byres Do?

Submitted by Laura Mattson on Wed, 2012-12-12 12:28

Early in 2012 Eric Byres wrote a blog article predicting what he thought would happen in 2012 with regards to SCADA and ICS security. I went back to his blog and highlighted the four main predictions he made. Then I asked him to rate himself on each one.

Prediction 1: No Big Messy Security Events

Laura: You predicted that “there will be no big messy security events in 2012 (No Stuxnet or Slammer)”. Do you feel your prediction was accurate?

Eric: “Unfortunately, I sure got this wrong! I didn’t expect that so many highly sophisticated advanced persistent threats like Flame, Gauss and Duqu would be found. And I certainly didn’t expect that some amateur hackers would develop Shamoon and wipe out 30,000+ computers at Saudi Aramco with it.”

Saudi Aramco’s headquarters complex. This is one of the sites where 30-55,000 workstation hard drives were wiped clean by the Shamoon virus. 

“2012 turned out to be worse than I expected, especially if you were running a refinery in the Middle East. Now I worry that we just haven’t found out what is happening in Europe and the Americas. I can’t imagine worms only like computers, SCADA and ICS systems in the Middle East!”

Eric’s Score:

Prediction 2: More than 500 SCADA and ICS Vulnerabilities Disclosed

Laura: You stated that “over 500 vulnerabilities in automation products will be disclosed by freelance ‘researchers’”. Was your predicted figure close to what was actually disclosed this year?

Eric: “Sean McBride, of Critical Intelligence, tells me there are 569 unique ICS specific vulnerabilities reported to ICS-CERT for 2012 as of November 20th. At that rate we’ll top 600 for 2012, which is a 65% increase over 2011. So, I was pretty accurate with this prediction.

Update from Laura: Sean McBride informed us that Eric had counted wrong. When Eric said that there were 569 new SCADA/ICS vulnerabilities in 2012 this turned out to be the cumulative total since 2001. Only 248 new vulnerabilities were announced in 2012. So Eric's prediction that there would be 500 new vulnerabilities in 2012, was wrong.

Eric’s Score:

Prediction 3: Half of all Disclosures would Include Attack Code

Laura: You estimated that “half of the disclosures will include sample attack code”. Was this true for 2012?

Eric: “I don’t have any stats on this. So I don’t know how I did. We will probably know at S4 in January. But I will guess that with people like Luigi Auriemma now selling exploits on the open market, I am accurate.”

Eric’s Score: Don’t Know Yet

Prediction 4: Industrial Malware will Continue to be Stealthy

Laura: Your final prediction was that “the trend of industrial malware to be stealthy will continue. (Like the 2011 trio Night Dragon, Duqu and Nitro it may remain undetected for long periods of time and may only come to light when it is too late to prevent significant business or process damage).” Do you think your forecast in this case was true for 2012?

Eric: “This is absolutely true, although as Shamoon showed us you don’t have to be stealthy to do a lot of damage – I didn’t expect that”.

Eric’s Score:

Laura: Although we will have a better idea after S4 on your prediction about sample attack code, at this time you have a 50% success rate on predicting the future – not bad for a Controls Engineer.

Update from Laura:  Looks like Eric only predicted 1 out of 3 correctly.  Better luck in 2013!

 

Do you think Eric’s crystal ball was accurate with his predictions for 2012? Or should he keep his day job?

Stay tuned for Eric’s 2013 forecast!

Image credit: Wikipedia

http://www.tofinosecurity.com/sites/default/files/tofino_smaller_logo.png

Laura Mattson
Marketing Specialist

 

Practical SCADA Security thanks Laura for this article.

Related Content to Download

Presentation - "Advanced Persistent Threat: A Real Problem, with Real Solutions"

 

Download this presentation and benefit from:

  • Definitions of APT and The Threat Continuum
  • Examples of Advanced Persistent Threat (APT) attacks on major companies
  • A summary of the advanced approaches companies use to defend against APTs

Practical SCADA Security thanks Professor Dorey for making this presentation available to our readers.

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Laura Mattson

Comments

2
Submitted by Ralph (not verified) on Wed, 2012-12-12 15:35

Keep your day job, dude. Predicting no messy security events is like a honeypot for a big messy security event. The others are like predicting that it is going to snow in Detroit sometime in 2013. :-)

Submitted by Clair Voyánt (not verified) on Wed, 2012-12-12 16:38

I thought that gazing into the Crystal Ball and stirring the tea leaves was his day job... And he should keep doing it. 50 to 75% success is pretty good.

Add new comment