The number of industrial control system (ICS) components – which run factories, transport, power plants and other facilities – left open to Internet access, is increasing every year. In Germany, for example, researchers from Positive Technologies found 13,242 IP addresses for ICS components, up from 12,542 in 2016.
Internet-accesible ICS components around the world
Advanced industrial countries, such as the U.S., Germany, China, France, and Canada, were home to the largest numbers of Internet-accesible ICS components. Of the 175,632 Internet-accessible ICS components detected, approximately 42% were in the U.S., representing a 10% increase over the previous year (from 50,795 to 64,287). This is a long stretch above second place, where Germany sits the second year in a row with 13,242 discovered.
The Positive Technologies research team also noted that more and more Internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.86% of detected components in 2017, up from 5.06% in 2016. Although these converters are often regarded as relatively unimportant, they can be quite useful for hackers, as has been seen in a number of high-profile attacks.
The most common software on Internet-accessible ICS components is Niagara Framework components. Niagara connects and enables management control over systems like air conditioning, power supplies, telecommunications, alarms, lighting, security cameras, and other important building systems. Software like this often contains vulnerabilities and beyond proof-of-concept, they’ve already been hacked in the wild.
“Some experts recommend ‘designing secure systems’ from the start. There is no such thing. Nothing is secure. All software has bugs, and so all software can be hacked. Attaching so-called ‘secure’ control devices to the Internet is going to result in those devices being mis-operated just as certainly as ‘insecure’ devices,” Andrew Ginter, VP Industrial Security, Waterfall Security Solutions, told Help Net Security.
“Attaching control devices indirectly to the Internet through one or more firewalls is very little better. Firewalls are also software. If connected software is the problem, why does more connected (firewall) software seem like an answer? Computers controlling dangerous or important physical processes should be separated from the Internet by hardware-enforced unidirectional gateways, not firewalls, and certainly not direct connections,” Ginter concluded.
Growing number of vulnerabilities in ICS components
The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these vulnerabilities were of critical or high risk in nature.
A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways. This is especially worrisome because network equipment is increasingly Internet-connected. Further, most reported ICS vulnerabilities can be exploited remotely without hackers needing to somehow obtain privileges in order to access targeted systems.
In terms of the number of vulnerabilities publicly disclosed in 2017, the previous year’s leader, Siemens, fell back to second. The 47 vulnerabilities disclosed in Schneider Electric ICS products are almost ten times as many as the number from the year before (5). Moxa also showed a growing vulnerability count with 36 in 2017 compared to 18 in 2016.
“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment,” said Vladimir Nazarov, Head of ICS Security at Positive Technologies. “ICS attacks can mean much more than just blackouts or production delays—lives may be at stake. This is why it’s so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernize them in a timely manner.”
Guidelines for improving ICS security
Basic measures that can be taken immediately by organizations include:
- Separating operational networks from the corporate LAN and external networks (such as the Internet)
- Diligently installing security updates
- Regularly auditing the security of ICS networks in order to identify potential attack vectors.