Legions of Critical Infrastructure Devices Subject to Cyber Targeting

Nearly 100,000 ICS devices have been found open to the public Internet, potentially threatening physical safety globally. Here's how to quantify the risk.

Westfalen coal-fired power plant of RWE Power in the sunrise, Hamm, Ruhr district, North Rhine-Westphalia, Germany
Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

There are at least 100,000 industrial control systems (ICS) exposed to the public Internet around the world, controlling a host of critical operational technologies (OT) like power grids, water systems, and building management systems (BMS). While that's a big number, researchers note that quantifying true cyber-risk from that exposure means examining which protocols the gear uses.

In a recent analysis, researchers from cyber-risk handicapper Bitsight reached the 100,000 number by inventorying reachable devices that use the top 10 most popular and widely used ICS protocols (including Modbus, KNX, BACnet, Niagara Fox, and others.)

They determined that the exposed ICS footprint represents a ripe target for cyberattackers, and thus a global risk to physical safety in least 96 countries. The risk is not theoretical, as malware built to subvert power grids and incidents like the Colonial Pipeline hack show.

"These ICS devices are used to control much of the physical infrastructure in our society, from traffic lights to vaccine production," according to a recent report from the firm. "Disruption of these systems could lead to significant business disruption, threats to human safety, data and intellectual property (IP) compromise, national security threats, and more."

Pedro Umbelino, principal security researcher at Bitsight, notes that there are few, if any, reasons for this type of equipment to be directly reachable via the Internet, so the risk level seems like a soluble problem.

"The systems we identified as Internet-facing could be due to misconfigurations, or neglect of best practices," he explains. "Typically, attackers scan for Internet-facing systems and then gather information to determine if that system has a vulnerability. So if systems are behind a firewall or otherwise not Internet facing, then much of the risk of exploitation is mitigated."

No Standard Protocol: ICS Communications Guide Risk Assessment

Understanding risk within ICS environments takes more than simply determining how many devices are reachable from the Internet. Specifically, the use of different protocols can be important clues in determining where cyberattackers might be probing for weaknesses.

"Some protocols we explored lack security measures, like basic authentication, leaving the devices pretty much open to anyone," he says.

He adds that other protocols have attributes that can help attackers perform target reconnaissance.

"Other protocols are very verbose, clearly indicating the brand, model, and version of the device, hugely simplifying an attacker's task to search for readily available exploits," Umbelino explains. "The adoption of different protocols indicates different devices are present in an organization's exposed surface. This implies different vendors, different supply chains, [and] different software running."

Organizations should also be aware that tailoring attacks by protocol also could help with geotargeting. Bitsight pointed out that exposed industrial control systems using CODESYS, KNX, Moxa Nport, and S7 are largely concentrated in the European Union (EU). Meanwhile, exposed systems using ATG and BACnet largely reside in the US. Modbus and Niagara Fox on the other hand are present globally.

The takeaway is that ICS-owning organizations can inventory their protocol use, and use that as a variable to identify risk and inform their OT/ICS security strategies, Umbelino says. For instance, it may not always be practical to reconfigure an entire critical infrastructure environment to eliminate Internet-facing points, so knowing where to focus first can be invaluable.

Industry 4.0 Builds a More Secure Future

While Bitsight's topline findings should signal a wakeup call for critical infrastructure stakeholders everywhere, it's worth noting that the level of ICS exposure has actually declined over time, even amid the move to "smart" OT environments and more digitization. In 2019, the number of exposed ICS devices within the parameters of the study sat at nearly 140,000.

"Initiatives like CISA's 'Securing Industrial Control Systems: A Unified Initiative,' and general discussions that the security community have been having around the topic of ICS security might have contributed to lower exposure," Umbelino postulates. "[And,] Industry 4.0 brought new technologies, but also other ways to interact with them (think about cloud environments, private networks, and other less reachable environments, for example) and more mature security programs."

How to Improve ICS Security & Exposure

From a practical standpoint, owners of ICS environments can shore up their security by taking some common-sense steps, according to Bitsight:

  • Identify any ICS deployed by the organization and/or third-party business partners, and promptly assess the security of these systems;

  • Remove any ICS from the public Internet;

  • Employ safeguards like firewalls to protect against unauthorized access;

  • And acknowledge the unique control needs that apply to OT, including ICS, rather than just applying a traditional IT risk model to the infrastructure (i.e., the need for downtime in order to patch).

"In a nutshell, as a rule of thumb: reduce exposure," Umbelino says. "Industrial control systems do not belong on the public Internet. Use firewalls, configure access controls, take advantage of virtual private networks or any other mechanism that prevents the devices from being widely reachable."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights