Due to a weak cybersecurity culture, industrial control systems continue to be easy targets for hackers. Cybex experts have prepared a report in which they suggest what is going wrong here and suggest the best ways to remedy the situation.
Up to 40% of industrial sites have at least one public Internet connection
Lack of connectivity to critical systems remains an effective way to reduce the chance of an attack. The lack of Internet connectivity means that attackers must be on site to perform the operations they need. However, many companies do not provide this isolation. More than a third of industrial facilities have at least one Internet connection. Search tools (such as Shodan) make it easy to find devices that are not secure and allow attackers to easily invade industrial networks. And in order to penetrate the system, one channel is enough.
16% of properties have at least one wireless access point, and 84% have at least one device that can be accessed remotely. Both are an additional loophole for attackers to penetrate.
Outdated Windows versions are installed on 53% of objects
Industrial facilities often have embedded systems that are difficult to update, let alone change the operating system installed there. Outdated and no longer supported versions of Windows do not contain fixes for new vulnerabilities that create significant security gaps. More than half of industrial facilities monitored by Cybex (the most widely used protection platform for ICS and IoT systems – Ed.) Have outdated and unsupported Windows versions.
Support for Windows Vista ended in 2017, XP in 2014. Windows 8’s life cycle came to an end in 2016 (8.1 still has a little time left), and Windows 7 will be retired in 2020. While companies can get extended support from Microsoft, it is expensive and appears to be only a temporary solution.
69% of industrial networks use unencrypted passwords
Unencrypted passwords have been considered a bad idea since time immemorial. By intercepting them, anyone can study your network and gain easy access to everything that is of interest to him, regardless of the other defensive redoubts you have built. Unfortunately, this has not taught anything to employees of industrial enterprises, who make all the same simple and fatal mistakes. Unencrypted passwords were found by Cybex in 69% of industrial control systems networks.
“They are usually associated with legacy devices that do not support modern secure protocols such as SNMP v3 or SFTP,” the report says.
57% of objects do not have anti-virus protection systems with automatic signature updates
In the first half of 2018, Kaspersky Lab identified 19,000 types of malware belonging to 2,800 different families. Given the continuing emergence of more and more malicious programs, automatic signature update is becoming an increasingly important role in the organization of anti-virus protection. But more than half of industrial control systems networks do not have automatically updated anti-virus systems, which makes it easier for attackers.
ICS safety stagnates
Industrial systems are indeed unsafe today, but the lack of any progress in this area is even more worrying. “Not much has changed in the industry over the past year,” says the CyberX report. The only significant change compared to last year’s survey is the decrease in the number of objects with legacy Windows systems. Their share decreased from 76% in 2017 to 53% in 2018.
“There is still a lot of work to be done here,” the report says. “But remember, we are trying to bridge the roughly 25-year gap between operational technology and IT security practices.”
Older operating protocols make monitoring difficult
Industrial systems are often years old. Since it is too difficult and expensive to make adjustments to them, they remain unchanged for many years. The Cybex study found that the most common use in industrial plants is Modbus, a serial communication protocol first published by Modicon (now Schneider Electric) in 1979.
This creates additional monitoring challenges because traditional tools designed for corporate IT networks do not see protocols like Modbus TCP, which means organizations do not know what is happening on their network. A poll conducted by Kaspersky Lab showed that almost half of enterprises do not have the tools to detect attacks on their industrial control system devices.
Six Priority Steps to Protect Industrial Systems
Highlight the most important processes. Consider which processes are most at risk of failing, and focus on keeping them safe first.
Map your network. To defend properly, you need to know what you are defending. Gather information about all the components of the industrial control system (model, type, operating system, firmware version, etc.), about their connections, about the movement of information on the network, and how the internal and external connections to these components are made.
Find the routes that are most likely to be attacked. Penetration testing and threat modeling can help determine the likely ways for attackers to enter the network and compromise devices. This information can be used to implement mitigation measures and close monitoring on site.
Draw up and follow the rules of cyber hygiene. Reduce the number of Internet connections, introduce two-factor authentication, do not use unencrypted passwords, install updates regularly, and prevent unauthorized external devices from connecting to the industrial control system network.
Set up a scheduled OS update schedule. Updating industrial systems is not an easy, but very important task, the solution of which will reduce the scope for attacks. Plan and install updates in a way that your team can handle. Separate and monitor any systems that cannot be replaced or upgraded.
Bridging the silos between operational and information technology. Engage operations personnel in a security operations center (SOC) and allow IT security professionals to participate in operations teams, sharing knowledge and experience and developing a better understanding of the unique security requirements of such systems.