Industrial and Critical Infrastructure Networks Are Ripe Targets for Cyberattackers

Staff Report

Friday, November 17th, 2017

CyberX, the industrial cybersecurity company safeguarding ICS infrastructures worldwide, announced findings from its "Global ICS & IIoT Risk Report," a comprehensive review of the current state of Operational Technology security. Operational Technology networks are used with specialized Industrial Control Systems to monitor and control physical processes such as assembly lines, mixing tanks, and blast furnaces.

To learn more about Cyber Security visit www.EDTScyber.com

The data clearly shows that OT networks are ripe targets for adversaries, whose motives range from criminal intent to operational disruption and even threats to human and environmental safety. Many are exposed to the public internet and easy to traverse using simple vulnerabilities like plain-text passwords. Lack of even basic protections like anti-virus can enable attackers to quietly perform reconnaissance before sabotaging physical processes.

As a result, once attackers get into an OT network — either via the internet or by using stolen credentials to pivot from corporate IT systems to OT networks — it's relatively easy for them to move around and compromise industrial devices. According to a new US CERT advisory citing analysis by the DHS and FBI, threat actors are currently engaged in APT attacks using spear phishing to obtain stolen credentials from ICS personnel.

Although industry experts have been warning us for years that our OT networks are vulnerable — missing many of the built-in controls found in IT networks like automated updates and strong authentication — this is the first time we've had real-world data to objectively evaluate the risk.

"The risk to OT networks is real — and it's dangerous and perhaps even negligent for business leaders to ignore it," said Michael Assante, ICS/SCADA Lead for the SANS Institute.

To obtain this data, CyberX analyzed production traffic from 375 representative OT networks worldwide across all sectors — including energy & utilities, manufacturing, pharmaceuticals, chemicals, and oil & gas — using its proprietary Network Traffic Analysis algorithms. Similar to the methodology used for the Verizon Data Breach Investigations Report, the analysis was performed on an anonymized and aggregated set of metadata with all identifying information removed. Rigorous attention was paid to preserving the confidentiality of sensitive customer information.

Some of the eye-opening conclusions include:

Forget the myth of the air-gap: One-third of industrial sites are connected to the internet — making them accessible by hackers and malware exploiting vulnerabilities and misconfigurations. This also explodes the myth that OT networks don't need to be monitored or patched because they're isolated from the internet via "air-gaps."

Unpatchable Windows boxes: More than 3 out of 4 sites have obsolete Windows systems like Windows XP and 2000. Since Microsoft no longer develops security patches for legacy systems, they can easily be compromised by destructive malware such as WannaCry/NotPetya, Trojans such as Black Energy, and new forms of ransomware.

Weak authentication: Nearly 3 out of 5 sites have plain-text passwords traversing their control networks, which can be sniffed by attackers performing cyber-reconnaissance and then used to compromise critical industrial devices.

No anti-virus protection: Half of the sites don't have any AV protection whatsoever— increasing the risk of silent malware infections.

Rogue devices and wireless access: Nearly half have at least one unknown or rogue device, and 20 percent have wireless access points, both of which can be used as entry points by attackers. WAPs can be compromised via misconfigured settings or via the recently-discovered KRAC WPA2 vulnerability, for example.

Remote control: 82% of industrial sites are running remote management protocols like RDP, VNC, and SSH. Once attackers have compromised an OT network, this makes it easier to learn how the equipment is configured and eventually manipulate it.

 

To learn more about Cyber Security visit www.EDTScyber.com