Vulnerabilities / Threats

10/24/2018
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ICS Networks Continue to be Soft Targets For Cyberattacks

CyberX study shows that many industrial control system environments are riddled with vulnerabilities.

Despite some progress, industrial control system (ICS) networks continue to be dangerously soft targets at a time when cyberattacks against them appear to be increasing.

ICS security vendor CyberX recently analyzed one year's worth of data gathered from 850 production ICS networks across multiple sectors, including energy, utilities, manufacturing, pharmaceuticals, and chemicals.

The exercise showed that a high percentage of organizations that operate ICSes are less safe than generally perceived and are not adequately addressing critical security issues.

"Most OT organizations are serious about security practices but hampered by the age and design of legacy networks," says Phil Neray, vice president of industrial cybersecurity at CyberX. "But that doesn't mean nothing can be done."

One of the most sobering findings in the CyberX study is that 40% of industrial sites are still directly connected to the Internet and are therefore exposed to more risk than when they were disconnected from the outside world.

The idea that ICS networks are relatively safe because they are "air-gapped" from the Internet is a myth, Neray says. Operational technology (OT) networks at four in 10 organizations are directly connected to the Internet and a much higher proportion to the corporate network and are therefore potentially accessible to remote attackers, the CyberX study states. Eighty-four percent of organizations had at least one device on their networks that was remotely accessible and open to communication via RDP, SSH, VNC, and other protocols.

There are multiple reasons why ICS operators are connecting once-separate ICS networks directly to the Internet. An organization, for instance, might have programmed its control systems to get automated software updates, or it might have needed to enable remote support. The growing digitization of business processes is yet another reason. "Digital transformation is a business-driven initiative to gather more real-time intelligence from production facilities in order to optimize production," Neray says.

A broadening attack surface is by far not the only concern with ICS networks. More than half (53%) of the sites CyberX included in its study were using obsolete Windows systems, such as Windows XP and Windows 2000, to access their ICS networks.

Since Microsoft no longer supports these systems, they are unlikely to be properly patched against vulnerabilities and probably require some sort of compensating controls — such as continuous monitoring — to mitigate risk, the CyberX report states.

Worryingly enough, some 57% of the organizations in the CyberX study aren't running any antivirus protections for automatically updating malware signatures on engineering workstations or Windows-based systems that are used to interact with industrial control systems. The situation appears to be the result of continuing concerns among many organizations about security patches and software updates breaking or slowing down operations systems.

The key risk for organizations here is that poorly protected Windows systems and engineering workstations provide attackers an initial foothold in the OT network.

For instance, last year's TRITON attack on a Saudi Arabian petrochemical plant that triggered an accidental emergency shutdown started with the compromise of a human-machine interface (HMI) system, Neray says. The 2016 attacks on Ukraine's power grid using the so-called Indostroyer malware is another example. "These are also the systems that were most impacted by NotPetya and WannaCry because they all use the ancient SMB protocol to share information across both IT and OT networks," he says.

Nearly 70% of the organizations surveyed also have cleartext passwords traversing their ICS networks. The passwords, which can be easily sniffed by attackers conducting cyber reconnaissance, typically control access to older network devices that don't support modern, secure protocols such as SFTP and SNMP v3.

In addition, 16% have at least one wireless access point installed in their OT networks, giving attackers a potential opening for dropping malware like VPNFilter for sniffing network communications and scanning OT networks.

On a positive note, CyberX's analysis shows some improvements. For instance, though 53% of organizations still are using obsolete Windows systems, that number is actually down from the 76% of organizations with legacy systems in CyberX's 2017 report. One reason could be that many organizations were spooked by the publicity and concern surrounding the NotPetya and WannaCry attacks and finally decided to upgrade, CyberX surmises.

The overall risk scores for ICS operators across different sectors improved as well. In 2017, CyberX calculated the median risk across all of its ICS customer sites at 61, with 80 being the security vendor's minimum recommended score. This year, the median overall risk score improved to 70. Organizations in the oil and gas and energy and utilities industries have the highest scores this year of 81 and 79, respectively, indicating their relative security maturity. At the other end of the spectrum are organizations in the manufacturing and petrochemical and chemical sectors.

"Ruthless prioritization is key" to addressing ICS vulnerabilities, Neray says. Many organizations still operate under the false assumption that ICS networks are air-gapped and oblivious to the vulnerabilities riddling their production facilities, he says.

To bolster their security, ICS operators should consider implementing measures such as continuous monitoring, more granular network segmentation, and threat modeling to prioritize mitigation efforts, Neray says.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.