The number of industrial control systems (ICS) connected to the internet has increased year on year – meaning more and more infrastructure is sitting on the 'net potentially open to attack.
Of the 175,632 internet-accessible ICS equipment detected, approximately 42 per cent were in the US, marking a 10 per cent increase over the previous year (from 50,795 to 64,287). In Germany, which ranks second, researchers found ICS gear behind 13,242 public-accessible IP addresses, up from 12,542 in 2016. The UK ranks sixth.
The figures come from a report put out this week by Positive Technologies, titled ICS Security: 2017 in Review.
The most common software found running on internet-accessible ICS components is the Niagara Framework, which controls machines from air conditioning and power supplies, to telecommunications, alarms, lighting, security cameras, and other important building systems.
Schneider Electric had the highest number of security vulnerabilities (47) publicly disclosed in its products in 2017, with the previous year's leader, Siemens, falling back to second place. Moxa also showed a growing vulnerability count with 36 in 2017 compared to 18 in 2016.
The overall number of exploitable bugs in ICS components is growing year-on-year. The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these flaws were of critical or high risk in nature. A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways.
A lot of internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.9 per cent of detected components in 2017, up from five per cent in 2016. Although these gizmos are often regarded as relatively unimportant, they can be quite useful for hackers as stepping stones to more critical equipment.
The growing prevalence of vulnerable ICS kit is a problem because any would-be miscreant can find unprotected industrial control systems simply by searching on Google or Shodan. The release of a new point-and-hack tool, dubbed AutoSploit, that searches for vulnerable devices online using Shodan before using Metasploit's database of exploits to potentially hijack vulnerable devices make an already unpleasant picture even uglier.
Positive Technologies' research is drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, exploit databases and packs, research papers, and posts on security websites and blogs.
PT's report [PDF] offers guidelines for improving ICS security. Basic measures that can be taken immediately include separating operational networks from the corporate LAN and external networks (such as the internet), installing security updates as soon as possible, and regularly auditing the security of ICS networks in order to identify potential attack vectors.
“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment,” said Vladimir Nazarov, head of ICS Security, at Positive.
“ICS attacks can mean much more than just blackouts or production delays—lives may be at stake. This is why it's so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernise them in a timely manner.”
The study follows the UK government’s announcement earlier in the week that critical industries could be fined up to £17m if they have insufficient cyber security. ®