Hey, you know what the internet needs? Yup, more industrial control systems for kids to hack

Go on, shove another power plant or factory on the web

The number of industrial control systems (ICS) connected to the internet has increased year on year – meaning more and more infrastructure is sitting on the 'net potentially open to attack.

Of the 175,632 internet-accessible ICS equipment detected, approximately 42 per cent were in the US, marking a 10 per cent increase over the previous year (from 50,795 to 64,287). In Germany, which ranks second, researchers found ICS gear behind 13,242 public-accessible IP addresses, up from 12,542 in 2016. The UK ranks sixth.

The figures come from a report put out this week by Positive Technologies, titled ICS Security: 2017 in Review.

The most common software found running on internet-accessible ICS components is the Niagara Framework, which controls machines from air conditioning and power supplies, to telecommunications, alarms, lighting, security cameras, and other important building systems.

Schneider Electric had the highest number of security vulnerabilities (47) publicly disclosed in its products in 2017, with the previous year's leader, Siemens, falling back to second place. Moxa also showed a growing vulnerability count with 36 in 2017 compared to 18 in 2016.

The overall number of exploitable bugs in ICS components is growing year-on-year. The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these flaws were of critical or high risk in nature. A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways.

A lot of internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.9 per cent of detected components in 2017, up from five per cent in 2016. Although these gizmos are often regarded as relatively unimportant, they can be quite useful for hackers as stepping stones to more critical equipment.

The growing prevalence of vulnerable ICS kit is a problem because any would-be miscreant can find unprotected industrial control systems simply by searching on Google or Shodan. The release of a new point-and-hack tool, dubbed AutoSploit, that searches for vulnerable devices online using Shodan before using Metasploit's database of exploits to potentially hijack vulnerable devices make an already unpleasant picture even uglier.

Positive Technologies' research is drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, exploit databases and packs, research papers, and posts on security websites and blogs.

PT's report [PDF] offers guidelines for improving ICS security. Basic measures that can be taken immediately include separating operational networks from the corporate LAN and external networks (such as the internet), installing security updates as soon as possible, and regularly auditing the security of ICS networks in order to identify potential attack vectors.

“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment,” said Vladimir Nazarov, head of ICS Security, at Positive.

“ICS attacks can mean much more than just blackouts or production delays—lives may be at stake. This is why it's so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernise them in a timely manner.”

The study follows the UK government’s announcement earlier in the week that critical industries could be fined up to £17m if they have insufficient cyber security. ®

Other stories you might like

  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • 5G C-band rollout at US airports slowed over radio altimeter safety fears
    Well, they did say from July, now they really mean from July 2023

    America's aviation watchdog has said the rollout of 5G C-band coverage near US airports won't fully start until next year, delaying some travelers' access to better cellular broadband at crowded terminals.

    Acting FAA Administrator Billy Nolen said in a statement this month that its discussions with wireless carriers "have identified a path that will continue to enable aviation and 5G C-band wireless to safely co-exist."

    5G C-band operates between 3.7-3.98GHz, near the 4.2-4.4GHz band used by radio altimeters that are jolly useful for landing planes in limited visibility. There is or was a fear that these cellular signals, such as from cell towers close to airports, could bleed into the frequencies used by aircraft and cause radio altimeters to display an incorrect reading. C-band technology, which promises faster mobile broadband, was supposed to roll out nationwide on Verizon, AT&T and T-Mobile US's networks, but some deployments have been paused near airports due to these concerns. 

    Continue reading
  • IBM settles age discrimination case that sought top execs' emails
    Just days after being ordered to provide messages, Big Blue opts out of public trial

    Less than a week after IBM was ordered in an age discrimination lawsuit to produce internal emails in which its former CEO and former SVP of human resources discuss reducing the number of older workers, the IT giant chose to settle the case for an undisclosed sum rather than proceed to trial next month.

    The order, issued on June 9, in Schenfeld v. IBM, describes Exhibit 10, which "contains emails that discuss the effort taken by IBM to increase the number of 'millennial' employees."

    Plaintiff Eugene Schenfeld, who worked as an IBM research scientist when current CEO Arvind Krishna ran IBM's research group, sued IBM for age discrimination in November, 2018. His claim is one of many that followed a March 2018 report by ProPublica and Mother Jones about a concerted effort to de-age IBM and a 2020 finding by the US Equal Employment Opportunity Commission (EEOC) that IBM executives had directed managers to get rid of older workers to make room for younger ones.

    Continue reading

Biting the hand that feeds IT © 1998–2022