Despite some progress, industrial control system (ICS) networks continue to be dangerously soft targets at a time when cyberattacks against them appear to be increasing.
ICS security vendor CyberX recently analyzed one year's worth of data gathered from 850 production ICS networks across multiple sectors, including energy, utilities, manufacturing, pharmaceuticals, and chemicals.
The exercise showed that a high percentage of organizations that operate ICSes are less safe than generally perceived and are not adequately addressing critical security issues.
"Most OT organizations are serious about security practices but hampered by the age and design of legacy networks," says Phil Neray, vice president of industrial cybersecurity at CyberX. "But that doesn't mean nothing can be done."
One of the most sobering findings in the CyberX study is that 40% of industrial sites are still directly connected to the Internet and are therefore exposed to more risk than when they were disconnected from the outside world.
The idea that ICS networks are relatively safe because they are "air-gapped" from the Internet is a myth, Neray says. Operational technology (OT) networks at four in 10 organizations are directly connected to the Internet and a much higher proportion to the corporate network and are therefore potentially accessible to remote attackers, the CyberX study states. Eighty-four percent of organizations had at least one device on their networks that was remotely accessible and open to communication via RDP, SSH, VNC, and other protocols.
There are multiple reasons why ICS operators are connecting once-separate ICS networks directly to the Internet. An organization, for instance, might have programmed its control systems to get automated software updates, or it might have needed to enable remote support. The growing digitization of business processes is yet another reason. "Digital transformation is a business-driven initiative to gather more real-time intelligence from production facilities in order to optimize production," Neray says.
A broadening attack surface is by far not the only concern with ICS networks. More than half (53%) of the sites CyberX included in its study were using obsolete Windows systems, such as Windows XP and Windows 2000, to access their ICS networks.
Since Microsoft no longer supports these systems, they are unlikely to be properly patched against vulnerabilities and probably require some sort of compensating controls — such as continuous monitoring — to mitigate risk, the CyberX report states.
Worryingly enough, some 57% of the organizations in the CyberX study aren't running any antivirus protections for automatically updating malware signatures on engineering workstations or Windows-based systems that are used to interact with industrial control systems. The situation appears to be the result of continuing concerns among many organizations about security patches and software updates breaking or slowing down operations systems.
The key risk for organizations here is that poorly protected Windows systems and engineering workstations provide attackers an initial foothold in the OT network.
For instance, last year's TRITON attack on a Saudi Arabian petrochemical plant that triggered an accidental emergency shutdown started with the compromise of a human-machine interface (HMI) system, Neray says. The 2016 attacks on Ukraine's power grid using the so-called Indostroyer malware is another example. "These are also the systems that were most impacted by NotPetya and WannaCry because they all use the ancient SMB protocol to share information across both IT and OT networks," he says.
Nearly 70% of the organizations surveyed also have cleartext passwords traversing their ICS networks. The passwords, which can be easily sniffed by attackers conducting cyber reconnaissance, typically control access to older network devices that don't support modern, secure protocols such as SFTP and SNMP v3.
In addition, 16% have at least one wireless access point installed in their OT networks, giving attackers a potential opening for dropping malware like VPNFilter for sniffing network communications and scanning OT networks.
On a positive note, CyberX's analysis shows some improvements. For instance, though 53% of organizations still are using obsolete Windows systems, that number is actually down from the 76% of organizations with legacy systems in CyberX's 2017 report. One reason could be that many organizations were spooked by the publicity and concern surrounding the NotPetya and WannaCry attacks and finally decided to upgrade, CyberX surmises.
The overall risk scores for ICS operators across different sectors improved as well. In 2017, CyberX calculated the median risk across all of its ICS customer sites at 61, with 80 being the security vendor's minimum recommended score. This year, the median overall risk score improved to 70. Organizations in the oil and gas and energy and utilities industries have the highest scores this year of 81 and 79, respectively, indicating their relative security maturity. At the other end of the spectrum are organizations in the manufacturing and petrochemical and chemical sectors.
"Ruthless prioritization is key" to addressing ICS vulnerabilities, Neray says. Many organizations still operate under the false assumption that ICS networks are air-gapped and oblivious to the vulnerabilities riddling their production facilities, he says.
To bolster their security, ICS operators should consider implementing measures such as continuous monitoring, more granular network segmentation, and threat modeling to prioritize mitigation efforts, Neray says.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio