Vulnerabilities in enterprise and IoT devices are enough to give chief information security officers nightmares, but holes in industrial supervisory control and data acquisition (SCADA) systems are no less problematic.

According to a report issued this week from Trend Micro, the average time between disclosing a bug to a SCADA vendor to releasing a patch reaches up to 150 days. On the one hand, that’s better than the average time it takes leading enterprise software companies to plug holes, the report says. On the other, it’s an average of 30 days longer than it usually takes Microsoft or Adobe to release a patch.

Mean time it takes SCADA vendors to issue patches. Graph by Trend Micro

It’s a concern because SCADA systems are found in critical infrastructure such as natural gas pipelines, power transmission systems and water distribution systems.

But one of the ways attackers compromise SCADA systems is familiar to CISOs: Software. The so-called Human Machine Interfaces (HMIs) — often Windows-based — where employees input commands to network-connected machines. The problem is serious enough that Trend Micro dubs this the Hacker Machine Interface.

An analysis of two years of disclosed vulnerabilities by the Zero Day Initiative shows that 23.6 per cent dealt with lack of authentication/ authorization and insecure defaults (such as insecure defaults, clear-text transmission of sensitive information, missing encryption, and unsafe ActiveX controls marked safe for scripting), 20 per cent with memory corruption and 19 per cent with credentials management (including hard coded passwords and passwords stored in clear text).

A difficulty is that a number of equipment manufacturers focus on the hardware, not the software. In fact, says the report, many HMIs can be downloaded for free.

The majority of software developers don’t use basic defense-in depth measures such as address space layout randomization (ASLR),9 SafeSEH,10 or stack cookies, says the report. “This may be related to the mistaken belief that these solutions will operate in a completely isolated environment. SCADA solution developers often have little experience with regard to user interface construction. This is coupled by the fact that developers do not know what the final operating environment will be like for the systems. This causes developers to make assumptions that are often incorrect. Without a mature development life cycle program to guide them, SCADA developers will likely continue to make the same mistakes that application and OS developers made a decade ago.”

One solution, says the report, is that SCADA systems should only be installed on an air-gapped or isolated on a trusted network. “Experience shows this is not always the case,” says Trend Micro, pointing to attacks that crippled parts of Ukraine’s power grid in 2015 and the Stuxnet virus that hobbled centrifuges in Iran used to produce nuclear fuel.

Another is picking up the pace in software development security. However, the report complains that “HMI vendors tend to focus more on equipment manufacture and less on securing the software designed to control them. The lack of global standards for HMI software further exacerbates software security problems within this field. We have also observed the same predictable software development oversights, which demonstrate that HMIs are not utilizing basic defense-in-depth measures.”

So it calls on developers of HMI and SCADA solutions to adopt the secure life cycle practices implemented by operating system and application developers. “By taking simple steps such as auditing for the use of banned APIs, vendors can make their products more resilient to attacks. SCADA developers also need to expect their products to be used in manners that they did not intend. For example, even though it should be considered a poor security practice, developers must assume their products and solutions will be connected to a public network. By taking the mindset that assumes a worst-case scenario, developers can implement more defense-in-depth measures to add protection.”

The report also includes advice for researchers and developers looking for vulnerabilities in HMI solutions when auditing their own solutions.