ICSes Remain Soft Targets

Tuesday, October 23, 2018 @ 05:10 PM gHale

With security awareness at a high level in the industrial control sector, major security gaps still remain in key areas such as plain-text passwords, direct connections to the Internet, and weak anti-virus protections, researchers said.

Although the prevalence of Windows XP and other legacy Windows systems has decreased year-over-year — driven top-down by management in the aftermath of NotPetya’s financial damage — researchers at security provider, CyberX, are still finding unpatchable Windows systems in more than half of all industrial sites.

TUG: Safety System Attack ‘Slow Burn’
Lessons Learned One Year After Triton
Black Hat: Breaking Down Safety System Attack
Black Hat: Get to Root Cause

“Industrial and critical infrastructure organizations that rely on industrial control systems (ICS) to run their businesses — such as firms in energy and utilities, oil a d gas, pharmaceutial and chemical production, food & beverage and other manufacturing sectors — have known their valuable assets are susceptible to cyberattack since Stuxnet was discovered and publicized in 2010,” CyberX reseachers said.

“The extent to which they are vulnerable, and the attack vectors through which they might be compromised, however, have historically been much harder to know in any measurable sense,” researchers said.

Destructive malware such as WannaCry and NotPetya, as well as targeted ICS attacks such as Triton and Industroyer, have shown the potential impact of ICS cyberattacks which include costly production outages and clean-up costs.

The CyberX report is based on analyzing real-world traffic from production ICS networks, making it a more accurate representation of the current state of ICS security.

Now in its second year, the report is based on data captured over the past 12 months from more than 850 production ICS networks across six continents and all industrial sectors including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas.

“If you are in critical infrastructure you should plan to be targeted,” said Andy Bochman, senior grid strategist for national and homeland security at the Idaho National Laboratory (INL). “And if you’re targeted, you will be compromised. It’s that simple.”

The answer to becoming a victim is what CyberX researchers at calling ruthless prioritization.

Issues will always be out there, but not all of them need to be solved at once. In the report, CyberX lays out a series of eight steps to protect an organization’s most essential assets and processes, including: Continuous ICS network monitoring to immediately spot attempts to exploit unpatched systems before attackers can do any damage; threat modeling to prioritize mitigation of the highest consequence attack vectors, and more granular network segmentation.

Other key finding in the report include:
Hiding in plain sight: 69 percent of industrial sites have plain text passwords traversing the network. Lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials, making cyber-reconnaissance and subsequent compromise relatively easy.
Air gap is a myth: 40 percent of sites have at least one direct connection to the public internet. Whether for convenience or inattention, many industrial networks continue to be connected to the public Internet. With digitization as a key business driver, operational technology (OT) networks are now also increasingly connected to corporate IT networks, providing additional digital pathways for attackers.
Anti-anti-virus: 57 percent are still not running any anti-virus protections that update signatures automatically. Anti-virus programs are still a fundamental defense against malware, but signatures change daily, and the lack of automated updates makes AV programs largely ineffective.
Broken Windows: 53 percent of sites have outdated Windows systems like XP. These systems no longer receive security patches from Microsoft, but with NotPetya delivering C-level attention to the issue for the first time, there was a marked improvement this year — with 75 percent of sites with legacy Windows systems in 2017 to 53 percent in this year’s report.
Indecent exposure: 16 percent have at least one Wireless Access Point (WAP). Misconfigured WAPs can be accessed by unauthorized laptops and mobile devices.

“We’re not here to create FUD, but we think it’s important for business leaders to have a data-driven view of ICS risk so they can ask the right questions,” said Dan Shugrue, senior director of industrial cybersecurity for CyberX. “We’re definitely making progress in reducing ICS risk, but we have a long way to go.”

Click here to register to download the report.

Leave a Reply

You must be logged in to post a comment.