Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/24/2018
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ICS Networks Continue to be Soft Targets For Cyberattacks

CyberX study shows that many industrial control system environments are riddled with vulnerabilities.

Despite some progress, industrial control system (ICS) networks continue to be dangerously soft targets at a time when cyberattacks against them appear to be increasing.

ICS security vendor CyberX recently analyzed one year's worth of data gathered from 850 production ICS networks across multiple sectors, including energy, utilities, manufacturing, pharmaceuticals, and chemicals.

The exercise showed that a high percentage of organizations that operate ICSes are less safe than generally perceived and are not adequately addressing critical security issues.

"Most OT organizations are serious about security practices but hampered by the age and design of legacy networks," says Phil Neray, vice president of industrial cybersecurity at CyberX. "But that doesn't mean nothing can be done."

One of the most sobering findings in the CyberX study is that 40% of industrial sites are still directly connected to the Internet and are therefore exposed to more risk than when they were disconnected from the outside world.

The idea that ICS networks are relatively safe because they are "air-gapped" from the Internet is a myth, Neray says. Operational technology (OT) networks at four in 10 organizations are directly connected to the Internet and a much higher proportion to the corporate network and are therefore potentially accessible to remote attackers, the CyberX study states. Eighty-four percent of organizations had at least one device on their networks that was remotely accessible and open to communication via RDP, SSH, VNC, and other protocols.

There are multiple reasons why ICS operators are connecting once-separate ICS networks directly to the Internet. An organization, for instance, might have programmed its control systems to get automated software updates, or it might have needed to enable remote support. The growing digitization of business processes is yet another reason. "Digital transformation is a business-driven initiative to gather more real-time intelligence from production facilities in order to optimize production," Neray says.

A broadening attack surface is by far not the only concern with ICS networks. More than half (53%) of the sites CyberX included in its study were using obsolete Windows systems, such as Windows XP and Windows 2000, to access their ICS networks.

Since Microsoft no longer supports these systems, they are unlikely to be properly patched against vulnerabilities and probably require some sort of compensating controls — such as continuous monitoring — to mitigate risk, the CyberX report states.

Worryingly enough, some 57% of the organizations in the CyberX study aren't running any antivirus protections for automatically updating malware signatures on engineering workstations or Windows-based systems that are used to interact with industrial control systems. The situation appears to be the result of continuing concerns among many organizations about security patches and software updates breaking or slowing down operations systems.

The key risk for organizations here is that poorly protected Windows systems and engineering workstations provide attackers an initial foothold in the OT network.

For instance, last year's TRITON attack on a Saudi Arabian petrochemical plant that triggered an accidental emergency shutdown started with the compromise of a human-machine interface (HMI) system, Neray says. The 2016 attacks on Ukraine's power grid using the so-called Indostroyer malware is another example. "These are also the systems that were most impacted by NotPetya and WannaCry because they all use the ancient SMB protocol to share information across both IT and OT networks," he says.

Nearly 70% of the organizations surveyed also have cleartext passwords traversing their ICS networks. The passwords, which can be easily sniffed by attackers conducting cyber reconnaissance, typically control access to older network devices that don't support modern, secure protocols such as SFTP and SNMP v3.

In addition, 16% have at least one wireless access point installed in their OT networks, giving attackers a potential opening for dropping malware like VPNFilter for sniffing network communications and scanning OT networks.

On a positive note, CyberX's analysis shows some improvements. For instance, though 53% of organizations still are using obsolete Windows systems, that number is actually down from the 76% of organizations with legacy systems in CyberX's 2017 report. One reason could be that many organizations were spooked by the publicity and concern surrounding the NotPetya and WannaCry attacks and finally decided to upgrade, CyberX surmises.

The overall risk scores for ICS operators across different sectors improved as well. In 2017, CyberX calculated the median risk across all of its ICS customer sites at 61, with 80 being the security vendor's minimum recommended score. This year, the median overall risk score improved to 70. Organizations in the oil and gas and energy and utilities industries have the highest scores this year of 81 and 79, respectively, indicating their relative security maturity. At the other end of the spectrum are organizations in the manufacturing and petrochemical and chemical sectors.

"Ruthless prioritization is key" to addressing ICS vulnerabilities, Neray says. Many organizations still operate under the false assumption that ICS networks are air-gapped and oblivious to the vulnerabilities riddling their production facilities, he says.

To bolster their security, ICS operators should consider implementing measures such as continuous monitoring, more granular network segmentation, and threat modeling to prioritize mitigation efforts, Neray says.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.