Citation[]
Department of Homeland Security, Control Systems Security Program, National Cyber Security Division, Common Cybersecurity Vulnerabilities in Industrial Control Systems (May 2011) (full-text).
Overview[]
This report compiled common vulnerabilities identified during numerous security assessments of new ICS products and production ICS installations from 2004 through 2010.
This report is organized in three sections. First, the different sources of ICS vulnerability information are summarized. Then the common ICS vulnerabilities are presented according to categories that describe a general problem observed in multiple ICS security assessments.
These three general categories are grouped by:
- 1. Vulnerabilities inherent in the ICS product.
- 2. Vulnerabilities caused during the installation, configuration, and maintenance of the ICS.
- 3. The lack of adequate protection because of poor network design or configuration.
Nonattributable ICS vulnerabilities are listed with the common vulnerability descriptions to aid in understanding the issues. General recommendations based on empirical knowledge gained through performing ICS security assessments are then grouped by software development recommendations for ICS vendors, ICS network configuration, and maintenance recommendations for ICS owners.