Industrial Control Systems Are A Soft Target For Cyber Attackers

Uploaded on 2018-11-21 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Production-Manufacturing

Despite knowing for some time that improperly protected Internet-connected industrial control systems are vulnerable to attacks that can cause catastrophic harm to businesses and communities ICS systems are still easy targets, if numbers collected by a security vendor are representative.

“Many sites are exposed to the public Internet and trivial to traverse using simple vulnerabilities like plain-text passwords,” says the global ICS risk report released this morning by CyberX. “Lack of even basic protections like automatically-updated anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces.”

The report looked at anonymized data obtained from over 850 production ICS (also known as operational) networks of CyberX customers in a 12 month period starting September 2017.

Among the findings:

– 69 per cent of networks had plain-text passwords traversing the network. A lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials — making cyber-reconnaissance and subsequent compromise relatively easy;

– Operational networks are protected because they are air-gapped is a myth: 40 per ent of industrial sites have at least one direct connection to the public internet, making them more easily accessible to adversaries and malware;

– 53 per cent of sites had obsolete Windows systems such as Windows XP. The report admits due to ICS-specific
factors such as narrow maintenance windows, legacy applications, and older hardware some systems can’t be patched. If so, continuous monitoring of those systems may be necessary, as well as better network segmentation;

– 84% of industrial sites had at least one remotely accessible device;

– 57 per cent of sites weren’t running anti-virus protections that update signatures automatically;

– 16 per cent of sites had at least one wireless access point. They need to be monitored and patched;

This is a follow-up to a similar report done a year ago, and CyberX says, there isn’t much difference. Other than fewer sites running old versions of Windows, “the industry may not have changed much over the course of the past year.”

Among the problems, the report notes, is that industrial networks contain a complex mix of specialized non-IT protocols, including proprietary protocols developed for specific families of industrial automation devices. This heterogeneous mix complicates security for OT environments. In addition, many OT protocols were originally designed when robust security features such as authentication were not even a requirement — because it was assumed that simply having connectivity to a device was sufficient authentication.

Still, a number of standard IT protocols are in use. The SMB protocol is widely used across IT and OT networks, the report points out. “Managers should note that vulnerabilities in the decades-old SMB protocol were a key factor in the costly
WannaCry and NotPetya attacks of 2017.”

“Not everything can be protected at once,” the report admits, “and the deeply complicated and critical nature of OT networks mean that by definition systems cannot be easily taken offline in order to install upgrades, patches, or anti-virus.”

What’s the solution: “Ruthless prioritization is required.”

– inventory all ICS assets;

– identify vital assets (those that could cause catastrophic harm, revenue loss, lawsuits, theft of intellectual property) and use technologies such as automated ICS threat modelling to reduce risk;

– discover likely attack paths, then practice — through table-top and other exercises — how to defend against them.

– mitigate and protect by looking at everything from weak password and password policies, closing off unauthorized or unnecessary Internet connections, direct connections between OT and IT networks, open ports, device patching, lack of network segmentation. And get rid of the walls between administrators of OT and IT networks.

IT World Canada:

You Might Also Read:

USB Devices Pose A Significant Threat To Industrial Facilities

« Cybersecurity Vigilance Is Mandatory
Chinese Hackers Target UK Engineering »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Rapid7

Rapid7

Rapid7 unites cloud risk management and threat detection to deliver results that secure your business and ensure you’re always ready for what comes next.

LRQA

LRQA

LRQA are a leading global assurance provider, bringing together unrivalled expertise in certification, brand assurance, cybersecurity, inspection and training.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

CERTuy

CERTuy

CERTuy is the national Computer Emergency Response Team for Uruguay.

Schneider Electric

Schneider Electric

Schneider Electric develops connected technologies and solutions to manage energy and process in ways that are safe, reliable and sustainable.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

TOAE Security

TOAE Security

TOAE Security is a trusted cyber security consulting partner helping today's leading organizations protect their most important assets from evolving cyber threats.

HCC Embedded

HCC Embedded

HCC’s mission is to ensure that data stored or communicated by an embedded IoT application is secure, safe and reliable.

ZecOps

ZecOps

ZecOps is a cybersecurity automation company offering solutions for servers, endpoints, mobile devices, and custom devices.

BlackCloak

BlackCloak

BlackCloak provides Concierge Cyber Security for high-net-worth individuals and corporate executives to protect them from cybercrime, reputational risks, hacking and identity theft.

Cyber Griffin

Cyber Griffin

Founded by the City of London Police in 2017, Cyber Griffin is an initiative that supports businesses and individuals in the Square Mile to protect themselves from cyber crime.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

Citadel Cyber Security

Citadel Cyber Security

Citadel is a leading 'One Stop Shop' provider of consulting services in cyber and information security. Our experts operate in hundreds of business organizations in Israel and around the world.

Venustech

Venustech

Venustech is a leading provider of network security products, trusted security management platforms, specialized security services and solutions.

NVISIONx

NVISIONx

NVISIONx data risk governance platform enables companies to gain control of their enterprise data to reduce data risks, compliance scopes and storage costs.

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.