Hey, you know what the internet needs? Yup, more industrial control systems for kids to hack

Go on, shove another power plant or factory on the web

The number of industrial control systems (ICS) connected to the internet has increased year on year – meaning more and more infrastructure is sitting on the 'net potentially open to attack.

Of the 175,632 internet-accessible ICS equipment detected, approximately 42 per cent were in the US, marking a 10 per cent increase over the previous year (from 50,795 to 64,287). In Germany, which ranks second, researchers found ICS gear behind 13,242 public-accessible IP addresses, up from 12,542 in 2016. The UK ranks sixth.

The figures come from a report put out this week by Positive Technologies, titled ICS Security: 2017 in Review.

The most common software found running on internet-accessible ICS components is the Niagara Framework, which controls machines from air conditioning and power supplies, to telecommunications, alarms, lighting, security cameras, and other important building systems.

Schneider Electric had the highest number of security vulnerabilities (47) publicly disclosed in its products in 2017, with the previous year's leader, Siemens, falling back to second place. Moxa also showed a growing vulnerability count with 36 in 2017 compared to 18 in 2016.

The overall number of exploitable bugs in ICS components is growing year-on-year. The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these flaws were of critical or high risk in nature. A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways.

A lot of internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.9 per cent of detected components in 2017, up from five per cent in 2016. Although these gizmos are often regarded as relatively unimportant, they can be quite useful for hackers as stepping stones to more critical equipment.

The growing prevalence of vulnerable ICS kit is a problem because any would-be miscreant can find unprotected industrial control systems simply by searching on Google or Shodan. The release of a new point-and-hack tool, dubbed AutoSploit, that searches for vulnerable devices online using Shodan before using Metasploit's database of exploits to potentially hijack vulnerable devices make an already unpleasant picture even uglier.

Positive Technologies' research is drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, exploit databases and packs, research papers, and posts on security websites and blogs.

PT's report [PDF] offers guidelines for improving ICS security. Basic measures that can be taken immediately include separating operational networks from the corporate LAN and external networks (such as the internet), installing security updates as soon as possible, and regularly auditing the security of ICS networks in order to identify potential attack vectors.

“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment,” said Vladimir Nazarov, head of ICS Security, at Positive.

“ICS attacks can mean much more than just blackouts or production delays—lives may be at stake. This is why it's so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernise them in a timely manner.”

The study follows the UK government’s announcement earlier in the week that critical industries could be fined up to £17m if they have insufficient cyber security. ®

Keep Reading

UK utility Severn Trent tests the waters with £4.8m for SCADA monitoring and management in the clouds

'Vision' platform to be 'cornerstone of our emerging asset intelligence strategy and programme'

Complexity has broken computer security, says academic who helped spot Meltdown and Spectre flaws

Graz University of Tech's Daniel Gruss thinks natural sciences can save us

If you miss the happier times of the 2000s, just look up today's SCADA gear which still has Stuxnet-style holes

Schneider Electric patches vulns after Trustwave raises alarm

On Friday the US starts Ender's hacking game: All local teens can compete for scholarships in cybersecurity

CyberStart America challenge aims to find talented network defenders

US cybersecurity agency issues super-rare emergency directive to patch Windows Server flaw ASAP

Government sysadmins given weekend to fix ZeroLogon elevation of privilege bug, rest of us given stern warning

Metasploit for drones? Best of luck with that, muses veteran tinkerer

Black Hat Europe Been down this path and it ain't that easy, says man who knows

Cisco ordered to cough up $2bn – yes, two billion dollars – plus royalties after ripping off biz's cybersecurity patents

Centripetal Networks uses lawsuit against Switchzilla. It's super effective

Trump fires cybersecurity boss Chris Krebs for doing his job: Securing the election and telling the truth about it

Terminated by presidential tweet that piled on the baseless election-rigging allegations CISA director sought to counter

Biting the hand that feeds IT © 1998–2021