It seems hard to believe that a major part of an enterprise would be left unprotected or nearly so and available on the open internet for anyone who looks for them or just happens upon them, but it’s true.
Worse, the number of such unprotected industrial control system (ICS) networks is growing every year, with seemingly little concern on the part of the companies that own and depend on them.
These industrial control systems are the computers that operate and monitor a wide variety of production and management systems in factories, warehouses or even office buildings. They include production machinery, inventory control systems, air conditioning, power supplies, alarms or security systems. Increasingly, these ICS networks are connected to corporate networks.
It was just such connection between an HVAC system and a corporate network that was the immediate cause of the 2013 breach that exposed personal information about 41 million Target customers. And that was just the first big one.
Such breaches continue, and according to a research report by enterprise security company Positive Technologies, they’re getting worse. In their research, the company found more than 64,000 internet accessible ICS components in the U.S. in 2017.
Many of the unprotected components discovered in the study were actually network devices which the company identified as Lantronix and Moxa interface converters. According to Positive Technologies, many companies ignore such devices considering them unimportant, but in reality, they can be a haven for hackers.
The report says that major ICS vendors reported 197 security vulnerabilities in 2017, which was a significant increase. More than half of the vulnerabilities were reported as being critical or high risk. According to the report these devices can typically be exploited remotely by a hacker without needing to elevate their privileges.
Once they gain access to a targeted ICS, hackers can then make their way into attached corporate networks, frequently without any further impediment. This is what happened with Target, when stolen credentials for the HVAC contractor provided a clear pathway for hackers to gain access to point of sale terminals throughout the chain, which in turn led to stolen personal information.
The Positive Technologies report listed Schneider Electric as the maker of the ICS products with the largest number of reported vulnerabilities, with Siemens taking second place. Siemens was the maker of the ICS equipment that was penetrated in the famous Stuxnet attacks on Iranian nuclear centrifuges.
“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago,” said Positive Technologies head of ICS security Vladimir Nasarov, in a prepared statement.
“Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations and manufacturing equipment. ICS attacks can mean much more than just blackouts or production delays—lives may be at stake,” Nasarov said.
“This is why it’s so important that before even writing the first line of code, developers [should] design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernize them in a timely manner.”
To some extent the solutions haven’t changed since I wrote about this problem following the Target breach. To the extent that they have changed, they’ve gotten worse. The study performed by Positive Technologies shows that IT administrators simply don’t look far enough when they consider security for ICS devices. The device itself may not be all that important, but if it’s connected to the corporate network, then it’s just as important as anything else on the same network.
The report makes several recommendations that should be considered the minimum in protecting any network in your company, whether they include ICS or your administrative computers:
- Segregate ICS operational networks from your enterprise and from the Internet.
- Limit physical access to the ICS and its network components
- Enforce a strict password policy
- Properly configure network equipment and firewalls
- Protect privileged accounts and minimize the use of such accounts
- Use antivirus software
- Install updates to operating systems and applications
But the question remains as to why the security of industrial control systems seems to be getting worse. The answer, according to Positive Technologies CTO Andrew Bershadsky seems to be that enterprise managers just haven’t seen the threat.
“The subject of industrial security was ignored for many years before companies in the industrial space realized that theoretical threats may become a real danger,” Bershadsky told eWEEK in an email. He said that just a few years ago, “only researchers with deep technical knowledge of these systems were looking into the issues.”
Bershadsky said that until companies start specifying security requirements into their RFPs when buying ICS, and not to think about security after the fact, as is the case frequently now, it will take time to change.
He predicts that companies will need to think about security monitoring centers for their industrial systems in the same way they think about their security operations centers elsewhere in their enterprise.
Enterprises need to asses the level of real risk to which they’re exposed, Bershadsky said. But what’s missing in most such security evaluations is to look beyond the device. An ICS interface in itself might not seem critical, but the network to which it’s attached surely is. The vulnerability doesn’t end with the device, instead it begins there.