Traffic analysis on 375 industrial networks worldwide has confirmed the extent to which hackers target industrial control systems (ICS).
The study by CyberX also found that industrial networks are both connected to the internet and rife with vulnerabilities including legacy Windows boxes, plain-text passwords and a lack of antivirus protection.
One-third of industrial sites are connected to the internet – making them accessible by hackers and malware exploiting vulnerabilities and misconfigurations. The findings undermine the comforting notion that industrial networks don't need to be monitored or patched because they're isolated from the internet via "air gaps".
More than three out of four sites have obsolete Windows systems like Windows XP and 2000. Since Microsoft no longer develops security patches for legacy systems, these can easily be compromised by destructive malware such as WannaCry/NotPetya, trojans like Black Energy, and other nasties.
Half of the sites audited failed to install any antivirus protection whatsoever – increasing the risk of successful malware infections.
Weak authentication was also a problem. Nearly three out of five sites have plain-text passwords traversing their control networks, which might be sniffed by attackers carrying out cyber-reconnaissance before launching attacks against industrial devices on weakly secured networks.
Rogue devices and wireless access were highlighted. Nearly half the audited plants have at least one unknown or rogue device, and 20 per cent have wireless access points (WAPs), both of which can be used as entry points by attackers. WAPs can be compromised via misconfigured settings or via the recently discovered KRACK WPA2 vulnerability, for example.
The vast majority (82 per cent) of industrial sites are running remote management protocols like RDP, VNC, and SSH. Once attackers have compromised an operational technology (OT) network, this makes it easier to learn how the equipment is configured and eventually manipulate it.
Power plant pwnage
These various shortcomings mean that hackers of varied motives might be able to attack industrial plants. Hackers might be able to get into OT networks either via the internet or by using stolen credentials to switch from corporate IT systems on to OT networks. Once a foothold has been established it's relatively easy for miscreants to move around and compromise industrial devices.
According to a new US CERT advisory citing analysis by the Department of Homeland Security and FBI, threat actors are currently engaged in advanced persistent threat (APT) attacks using spear phishing to obtain stolen credentials from ICS personnel.
OT networks are used with specialised ICS to monitor and control physical processes such as assembly lines, chemical mixing tanks, and blast furnaces. Although industry experts have been warning us for years that our OT networks are particularly vulnerable because they often lack the built-in controls found in IT networks such as automated updates and strong authentication, CyberX's study is one of the first to quantify the risk.
"The risk to OT networks is real – and it's dangerous and perhaps even negligent for business leaders to ignore it," said Michael Assante, ICS/SCADA lead for the SANS Institute.
Data used to compile the study was obtained by applying CyberX's proprietary NTA algorithms to production traffic collected from passive (non-intrusive) monitoring of 375 industrial networks worldwide. It included a representative sample of firms from the energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas sectors. The analysis was performed on an anonymised and aggregated set of metadata with all identifying information removed.
The traffic included a diverse and representative mix of specialised industrial protocols including Modbus TCP, Ethernet/IP, Siemens S7/S7+, GE SRTP, Schneider Electric Telvent, ABB HCS, Beckhoff, OPC, OSIsoft PI, MMS, and many others.
CyberX's Global ICS & IIoT Risk Report was published on Tuesday, October 24.
In response to the threat on industrial control systems, CyberX advises organisations to provide security awareness training for plant personnel and enforcing strong corporate policies to eliminate risky behaviours such as clicking links in emails, using USBs and laptops to transfer files to OT systems, and dual-homing devices between IT and OT networks.
Using compensating controls and multi-layered defences – such as continuous monitoring with behavioural anomaly detection — to provide early warnings of hackers inside your OT network, and the mitigation of critical vulnerabilities that might take years to fully remediate are also recommended. ®