A disturbingly high percentage of industrial control systems (ICS) — the technology used to manage everything from water treatment plants to the International Space Station — are eminently vulnerable to malicious hackers, according to tests performed by a leading global security firm.
Positive Technologies reported on Thursday that its researchers were able to penetrate 73 per cent of industrial organisations. In 82 per cent of successful infiltrations, the researchers said it was possible to "gain a foothold and leverage it to access the broader industrial network, which contained ICS equipment."
ICS is a term that describes various technologies, such as SCADA, for controlling systems used in industrial automation by manufacturing, power, water, and wastewater plants, the oil and gas industry, and many other sectors.
While the use of ICS equipment isn't new, the expansion of the internet and wireless technology brought a new level of connectivity to ICS, ultimately enhancing its efficiency and speed while leaving the systems increasingly vulnerable to malicious attack.
"Vulnerabilities that would have been fixed years ago on ordinary systems often remain untouched, because organisations are afraid to make any changes that might cause downtime," Positive Technologies said in its report. What's more, methods used by industries to safeguard ICS, such as "air-gapping" the equipment from internet-connected systems, often fail to prevent attacks.
The most successful attack vector exploited to gain perimeter network access came from vulnerabilities in web applications, the researchers said, including SQL injection, arbitrary file uploads, and remote command execution. "Almost every company used dictionary passwords for web server administration systems or for remote access via management protocols, which allowed continuing the attack vector to obtain LAN access in one third of cases," the report states.
Brian Contos, CISO and chief security strategist at Verodin, said that keeping ICS running is often essential as such systems are in place "literally to keep the lights on." This means that interrupting their typical function to run security tests poses problems. "Security practices that are commonplace in IT such as vulnerability scanning, patching, and the introduction of endpoint or network security controls, are often seen as too great a risk as it relates to availability."
In a joint alert last month, the FBI and the Department of Homeland Security accused state-run Russian hackers of targeting the US energy grid, using the same process described by Positive Technologies — gaining a foothold in the network and navigating onward to critical systems.
"DHS and FBI characterise this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the alert stated. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally and collected information pertaining to Industrial Control Systems (ICS)."
Contos said that while ICS systems were once mostly air-gapped — meaning physically isolated from unsecure networks, such as the public internet — more often that's no longer the case, even if the devices were not designed to communicate with networks. Today, many ICS are hyper-connected using both legacy and modern technology, including dial-up, Bluetooth, physical serial connections and more, he said. "There are even mobile phone apps designed to help manage and monitor ICS devices."
On Wednesday, Tenable, a Maryland-based cybersecurity firm, disclosed vulnerabilities in two applications widely used by manufacturers and power plants, which, the company said, may allow hackers to elevate access in networks containing ICS devices.
In 2014, DHS confirmed a US public utility control system had been breached by a sophisticated hacker. Forensic tests revealed previous malicious activity on the network as well. And just last year, North Korea was fingered for attacks on US companies operating industrial control systems.
In at least one case, the hackers managed to gain access to the network of a US energy company.
"Security is not just a technical problem, but an organizational one," said Paolo Emiliani, a SCADA research analyst at Positive Technologies. "On average, each company we tested had at least two penetration vectors. A company might have a number of facilities very far apart from each other, with only a handful of security staff to go around. This puts security staff in a difficult position: they have to enable remote desktop access to get their job done, even though this opens security holes."
The problem is worsened when multiple teams are tasked with overseeing an industrial systems: communication breakdowns exacerbate vulnerability.
"A lack of processes usually leaves covering the unaddressed parts of the cybersecurity processes solely to humans, and humans make mistakes," Emilani said. "Moreover, unsecured architecture with un-patched or un-patchable environments and no monitoring mechanisms combine to form a perfect storm for ICS insecurity."