New Trend Micro research revealed how exposed human machine interface (HMI) systems in thousands of critical water and energy organizations around the world could be exploited, causing significant real-world impacts, such as contaminating the water supply.
U.S. critical infrastructure dependency flow according to econometric analysis
Exposed human machine interfaces
HMIs are a key part of industrial IT systems that allow human operators to interact with supervisory control and data acquisition (SCADA) environments. A large majority of the identified exposed systems are from smaller energy and water organizations that feed the major enterprise supply chain, which serves the general public. With access to an exposed HMI system, an attacker is not only able to see all the information about critical systems, but can also interact with and abuse these interfaces.
“Critical infrastructure is a national focal point for cybersecurity – and for cybercriminals, who can pinpoint and exploit the weakest link in these connected systems,” said Mark Nunnikhoven, VP of cloud research for Trend Micro. “That’s troubling, as Trend Micro Research continues to find critical devices, and the networks that they connect to, needlessly exposed. This exposure, combined with the record number of ICS vulnerabilities reported through the Zero Day Initiative this year, highlights a growing risk that extends into each of our communities.”
Many of these HMIs are legacy systems that were not initially designed to be connected to a network in this way. Today, connectivity is being added to many legacy operational technology systems, which have long lifespans and are very difficult to patch, exacerbating the risk of attack.
“The Trend Micro search results are not a representative sample – that they found medium-sized utilities’ HMIs exposed to the Internet at all suggests this is the tip of an iceberg. The defenses recommended in the report’s Appendix are dated – layers of firewalls are only speed bumps to modern attackers. Modern defenses recognize that all attacks are information and so the first step to defense is to control information flows, not just encrypt them: block USB ports, forbid external laptops, and if you need an HMI on the Internet, use a Unidirectional Gateway, not a firewall,” Lior Frenkel, CEO and co-founder, Waterfall Security Solutions, told Help Net Security.
Real-world impact to critical infrastructure
Attackers may soon turn their attention to exploiting these exposed systems due to an increase in new vulnerabilities found this year. Trend Micro’s Zero Day Initiative has published nearly 400 SCADA-related vulnerability advisories in 2018 so far – a 200 percent increase compared to the same time last year.
Based on a recent survey by Trend Micro, operational technologies like these have not typically been managed by IT or security teams. The ongoing confusion around who in an organization is responsible for securing connected devices often leaves them more at risk.
Breakdown of origin countries for non-critical and critical attacks from the SCADA honeypot research
To protect HMI systems against the risk of attack, security leaders must ensure the interfaces are properly secured if they must be connected to the internet. Likewise, there should be as much isolation as possible in place between these devices and the corporate network, which maintains operational needs while eliminating the risk of exposure and exploitation.
“If we hadn’t found the command and control malware in our SCADA environment, our toxic gases monitoring systems could have been compromised and may put human lives in danger,” said Ireneo Demanarig, chief information officer, CEITEC S.A. “Security must be at the core of our company.”