Living, Dead (and Undead) Zero Day Exploits, and What They Mean for Industrial Control Systems

Zero Days exploits are vulnerabilities that exist within software that have not been patched or fixed publicly. These vulnerabilities are an attractive target for hackers, who can typically create an exploit within 22 days of finding a Zero Day. As revealed in the recent Wikileaks releases, government agencies may even hoard knowledge of these vulnerabilities in order to use spying and hacking tools. Some zero day vulnerabilities are sold to the highest bidder, but many are also reported to the software companies in exchange for bounties or simply to make their products safer.

Many Zero Day vulnerabilities are reported through agencies like US-CERT and ICS-CERT, but others are simply patched or fixed without a public warning.

Because reporting cannot always be relied upon to notify software users of vulnerability, it is important that any software used within a system is up-to-date on the most recent version and patch. This is particularly important to industrial control systems, where system downtime can result in massive productivity losses. With more malicious agents turning toward tactics like ransomware to hold systems hostage, it’s important that industrial automation place as much focus on IT as OT.

Industrial Automation has always had a tendency to lag behind, due to the relative difficulty of patching software on industrial systems or changing operating systems on machines designed to last for decades. As operating systems like Microsoft Windows XP become obsolete, many companies hang onto old systems that are too costly or inconvenient to replace but leave themselves open to vulnerabilities in the process.

Some Zero Days become significantly less threatening as obsolete software is phased out or patched, but hackers also know this, and will intentionally target systems with Zero Day exploits that take advantage of unpatched or unsupported software.

Living Zero Days

Living Zero Days are vulnerabilities that are not public, and so no patch or fix exists for them. These are the most dangerous Zero Days. Knowledge of these vulnerabilities may be sold to malicious actors, or may be given to software companies.

Immortal Zero Days

Immortal Zero days pose a much larger threat to industrial automation than one might expect. Immortal Zero Days are vulnerabilities that are not public and will never be patched because the software is no longer supported. These are especially dangerous for systems using old or proprietary HMI/SCADA software that is no longer supported with updates.

Dead Zero Days

Dead Zero days are vulnerabilities that have been fixed or patched by the software vendor. These may sound innocuous, but they also pose a risk to control systems due to the frequently long time lag between software updates and a system shut-down that allows software to be patched. In addition, not all companies make vulnerabilities publicly known, and when they do they can be easy to miss. This is why it’s always recommended that systems are always up-to-date on current software, even when it is costly, time consuming, or difficult.

Zombie Zero Days

Zombie Zero days exist in an in-between state of living and dead. They are public and have been patched, but the patch or fix does not apply to older versions of the software. These are especially dangerous when hackers know that systems are using unsupported software and can look for specific vulnerabilities.

AVEVA has always worked diligently to ensure that updating systems to the most current software doesn’t cause expensive productivity loss, lost development time, or incur excessive costs for software. That is why all applications created in any version of AVEVA Edge can be opened, edited, and deployed using the most recent version of the software. In addition, AVEVA Edge supports every currently supported Windows operating system, as well as Linux. There are also import wizards for systems like FactoryTalk and PanelMate that make bringing obsolete systems into a safer environment much simpler. This makes it more convenient and more cost effective ensure that industrial control systems are using current software that has been patched for known Zero Days.

Keeping your Systems Safe

Looking for a software partner that will keep you up to date on zero days and help your business implement cybersecurity best practice measures? AVEVA Edge is a great place to start for a more secure SCADA/HMI software.