The risk to OT networks is real, and it’s dangerous for business leaders to ignore

Data from the new CyberX CyberX Global ICS & IIoT Risk Report shows major security gaps remain in key areas such as plain-text passwords, direct connections to the internet, and weak anti-virus protections. Although the prevalence of Windows XP and other legacy Windows systems has decreased year-over-year — driven top-down by management in the aftermath of NotPetya’s financial damage — CyberX is still finding unpatchable Windows systems in slightly more than half of all industrial sites.

Top data points from the CyberX Global ICS & IIoT Risk Report

Unlike questionnaire-based surveys, the CyberX report is based on analyzing real-world traffic from production ICS networks, making it a more accurate representation of the current state of ICS security. Now in its second year, the report is based on data captured over the past 12 months from more than 850 production ICS networks across six continents and all industrial sectors including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas.

“If you are in critical infrastructure you should plan to be targeted. And if you’re targeted, you will be compromised. It’s that simple,” said Andy Bochman, senior grid strategist for national and homeland security at the Idaho National Laboratory.

But that doesn’t mean nothing can be done. Ruthless prioritization is key. Many problems exist, but not all of them need to be solved at once. In the report, researchers lay out a series of eight steps towards protecting an organization’s most essential assets and processes. These include: continuous ICS network monitoring to immediately spot attempts to exploit unpatched systems before attackers can do any damage; threat modeling to prioritize mitigation of the highest-consequence attack vectors; and more granular network segmentation.

Key findings

Hiding in plain sight: 69 percent of industrial sites have plain text passwords traversing the network. Lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials, making cyber-reconnaissance and subsequent compromise relatively easy.

The air-gap — still a myth: 40 percent of sites have at least one direct connection to the public internet. Whether for convenience or inattention, many industrial networks continue to be connected to the public internet. With digitization as a key business driver, operational technology (OT) networks are now also increasingly connected to corporate IT networks, providing additional digital pathways for attackers.

CyberX collected traffic data from more than 850 production ICS networks and then used NTA algorithms to analyze the traffic for vulnerabilities. The analysis was performed on anonymized and aggregated metadata, with all customer-identifying information removed.

Anti-anti-virus: 57 percent are still not running any anti-virus protections that update signatures automatically. Anti-virus programs are still a fundamental defense against malware, but signatures change daily, and the lack of automated updates makes AV programs largely ineffective.

Broken Windows: 53 percent of sites have outdated Windows systems like XP. These systems no longer receive security patches from Microsoft, but with NotPetya delivering C-level attention to the issue for the first time, we saw a marked improvement this year — from 3 out of 4 sites with legacy Windows systems in 2017 to 53 percent in this year’s report.

Indecent exposure: 16 percent have at least one Wireless Access Point (WAP). Misconfigured WAPs can be accessed by unauthorized laptops and mobile devices. What’s more, sophisticated malware such as VPNFilter target access points such as routers and VPN gateways, enabling attackers to capture MODBUS traffic, perform network mapping, destroy router firmware, and launch attacks on OT endpoints. This means that routers should also be inventoried and patched to prevent these attacks.

“The INL methodology correctly identifies all digital control channels as attack paths. This is one reason regulators and standards bodies across the globe are recommending unidirectional security gateways to protect OT networks. The naive faith that more and newer firewalls will protect intrinsically soft ICS targets is a recipe for failure – the only question is what will be the damage and the cost of repairs,” Lior Frenkel, CEO and co-Founder, Waterfall Security Solutions, told Help Net Security.