Industrial control systems (ICS) used to administer equipment in manufacturing, energy, transportation and other critical industries often lack sufficient perimeter protection against hackers, a new study found.
Vulnerabilities that would have been fixed years ago on corporate networks remain unguarded, mainly because organizations fear the high cost of downtime to upgrade cyber security systems and software, Positive Technologies said in its research report, Industrial Companies: Attack Vectors. In the ICS security specialist’s tests, attackers were able to penetrate the network perimeter of 73 percent of industrial organizations. At 82 percent of those markers tested, it was possible to gain a foothold to access the broader industrial network containing ICS equipment.
“Industrial control systems are critical to operations at industrial facilities, but poorly protected in terms of information security,” the study’s authors wrote. “Successful attacks against ICS components can cause more than just financial losses. Unauthorized modification or disruption may lead to blackouts, transportation failures, or even major disasters with loss of life.”
In addition to flaws on the network perimeter, here’s some of the study’s other findings:
Attacks are easy. Of the main attack vectors that enabled piercing of the industrial network from the corporate network, 67 percent were either low or trivial in difficulty. Implementing these attack vectors only requires leveraging existing configuration flaws in devices and network segmentation and OS vulnerabilities.
Remote desktop access. In 64 percent of network penetration cases, these flaws were introduced by administrators and involved remote desktop access. Administrators at industrial companies often enable remote desktop access so that they administer devices from their offices rather than making site visits.
Passwords, software updates. The corporate information system at every tested company was found to use dictionary passwords and obsolete software versions with known vulnerabilities, granting the attacker maximum domain privileges and control of the entire network infrastructure.
"Security is not just a technical problem, but an organizational one,” said Paolo Emiliani, an industry research analyst at Positive Technologies. “A lack of processes usually leaves covering the unaddressed parts of the cybersecurity processes solely to humans, and humans make mistakes. Moreover, unsecured architecture with un-patched or unpatchable environments and no monitoring mechanisms combine to form a perfect storm for ICS insecurity."
Here’s more from the study:
- Configuration flaws are the cause of seven of the top 10 network perimeter vulnerabilities.
- Source code vulnerabilities in web applications accounted for a number of the top 10 network perimeter vulnerabilities.
- By exploiting such vulnerabilities as Remote Command Execution and Arbitrary File Upload, an attacker can penetrate the perimeter of an industrial company, if its web application is running on a server connected to the LAN.
- 43 percent of web applications on the perimeter of industrial corporate information systems are characterized by a poor security level.
- High severity level applies to half of the top 10 corporate information system perimeter vulnerabilities at industrial companies.
- Obsolete versions of software, such as web servers, operating systems, and applications, often contain critical vulnerabilities.
“The easiest scenario for an attacker, and the most dangerous for defenders, is when the industrial network is not isolated from the corporate information system. This security issue affected 18 percent of tested companies,” the report’s authors wrote. “Even one ICS cyber incident can cause irreparable consequences, including accidents and loss of life.”