Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/24/2018
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ICS Networks Continue to be Soft Targets For Cyberattacks

CyberX study shows that many industrial control system environments are riddled with vulnerabilities.

Despite some progress, industrial control system (ICS) networks continue to be dangerously soft targets at a time when cyberattacks against them appear to be increasing.

ICS security vendor CyberX recently analyzed one year's worth of data gathered from 850 production ICS networks across multiple sectors, including energy, utilities, manufacturing, pharmaceuticals, and chemicals.

The exercise showed that a high percentage of organizations that operate ICSes are less safe than generally perceived and are not adequately addressing critical security issues.

"Most OT organizations are serious about security practices but hampered by the age and design of legacy networks," says Phil Neray, vice president of industrial cybersecurity at CyberX. "But that doesn't mean nothing can be done."

One of the most sobering findings in the CyberX study is that 40% of industrial sites are still directly connected to the Internet and are therefore exposed to more risk than when they were disconnected from the outside world.

The idea that ICS networks are relatively safe because they are "air-gapped" from the Internet is a myth, Neray says. Operational technology (OT) networks at four in 10 organizations are directly connected to the Internet and a much higher proportion to the corporate network and are therefore potentially accessible to remote attackers, the CyberX study states. Eighty-four percent of organizations had at least one device on their networks that was remotely accessible and open to communication via RDP, SSH, VNC, and other protocols.

There are multiple reasons why ICS operators are connecting once-separate ICS networks directly to the Internet. An organization, for instance, might have programmed its control systems to get automated software updates, or it might have needed to enable remote support. The growing digitization of business processes is yet another reason. "Digital transformation is a business-driven initiative to gather more real-time intelligence from production facilities in order to optimize production," Neray says.

A broadening attack surface is by far not the only concern with ICS networks. More than half (53%) of the sites CyberX included in its study were using obsolete Windows systems, such as Windows XP and Windows 2000, to access their ICS networks.

Since Microsoft no longer supports these systems, they are unlikely to be properly patched against vulnerabilities and probably require some sort of compensating controls — such as continuous monitoring — to mitigate risk, the CyberX report states.

Worryingly enough, some 57% of the organizations in the CyberX study aren't running any antivirus protections for automatically updating malware signatures on engineering workstations or Windows-based systems that are used to interact with industrial control systems. The situation appears to be the result of continuing concerns among many organizations about security patches and software updates breaking or slowing down operations systems.

The key risk for organizations here is that poorly protected Windows systems and engineering workstations provide attackers an initial foothold in the OT network.

For instance, last year's TRITON attack on a Saudi Arabian petrochemical plant that triggered an accidental emergency shutdown started with the compromise of a human-machine interface (HMI) system, Neray says. The 2016 attacks on Ukraine's power grid using the so-called Indostroyer malware is another example. "These are also the systems that were most impacted by NotPetya and WannaCry because they all use the ancient SMB protocol to share information across both IT and OT networks," he says.

Nearly 70% of the organizations surveyed also have cleartext passwords traversing their ICS networks. The passwords, which can be easily sniffed by attackers conducting cyber reconnaissance, typically control access to older network devices that don't support modern, secure protocols such as SFTP and SNMP v3.

In addition, 16% have at least one wireless access point installed in their OT networks, giving attackers a potential opening for dropping malware like VPNFilter for sniffing network communications and scanning OT networks.

On a positive note, CyberX's analysis shows some improvements. For instance, though 53% of organizations still are using obsolete Windows systems, that number is actually down from the 76% of organizations with legacy systems in CyberX's 2017 report. One reason could be that many organizations were spooked by the publicity and concern surrounding the NotPetya and WannaCry attacks and finally decided to upgrade, CyberX surmises.

The overall risk scores for ICS operators across different sectors improved as well. In 2017, CyberX calculated the median risk across all of its ICS customer sites at 61, with 80 being the security vendor's minimum recommended score. This year, the median overall risk score improved to 70. Organizations in the oil and gas and energy and utilities industries have the highest scores this year of 81 and 79, respectively, indicating their relative security maturity. At the other end of the spectrum are organizations in the manufacturing and petrochemical and chemical sectors.

"Ruthless prioritization is key" to addressing ICS vulnerabilities, Neray says. Many organizations still operate under the false assumption that ICS networks are air-gapped and oblivious to the vulnerabilities riddling their production facilities, he says.

To bolster their security, ICS operators should consider implementing measures such as continuous monitoring, more granular network segmentation, and threat modeling to prioritize mitigation efforts, Neray says.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...