Over the past few years, industrial control systems (ICS) components have proven to be increasingly vulnerable and more frequently accessible from the Internet, which significantly amplifies the risk they are exposed to, Kaspersky Lab researchers warn.
According to numbers from Kaspersky, 189 vulnerabilities were discovered in ICS components last year, a ten-fold increase compared to 2010, when only 19 were published.
Sophisticated attacks on ICS are on the rise as well, such as the Ivano-Frankivsk, Ukraine, incident last year, just one of the multiple attacks that leveraged BlackEnergy malware. Also in 2015, there was an attack on Kemuri Water Company’s ICS infrastructure, which resulted in hackers changing the levels of chemicals used to treat tap water. Other ICS-related incidents have been reported as well.
Kaspersky security researchers focused on both the number of vulnerabilities in ICS and on the availability of ICS components over the Internet, and split their research into two separate reports, each dealing with one of these aspects. The first report was compiled based on data from open sources, such as Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advisories, NVD/CVE, and more, while the second report is based on information from the Shodan search engine.
According to Kaspersky researchers, while 189 security issues in ICS components were published in 2015, they might have been lingering for years before being discovered. While 49% of these issues were rated critical and 42% have a medium severity, 10% were never patched, and most of them (14 out of 19) are high risk flaws. In fact, Kaspersky says that only 85% of the published vulnerabilities received a fix, while 5% were only partially patched.
Known exploits are available for 26 of the vulnerabilities published in 2015, but for many flaws an exploit code is not needed to access the impacted system. What’s more, default credentials are often not changed, which means that attackers can exploit these to gain remote control over the system. An example includes a hard-coded password issue that impacts 11,904 remotely available SMA Solar Sunny WebBox interfaces.
Vulnerabilities were discovered in ICS components from 55 different manufacturers and of multiple types (HMI, electric devices, SCADA, industrial network devices, PLCs and multiple others), with Siemens, Schneider Electric and Hospira devices accounting for the largest number of bugs. The most commonly found issues are buffer overflows (9% of all vulnerabilities), use of hard-coded credentials (7%) and cross-site scripting (7%).
When it comes to the availability of ICS components via the Internet, the numbers are impressive: 220,668 of them were discovered by the Shodan search engine, the researchers say. These components are located on 188,019 hosts in 170 countries, but most of them are in the United States (30.5%) and European countries such as Germany (13.9%) and Spain (5.9%), with France and Italy following close.
The available systems come from 133 different vendors, with Tridium (11.1%), Sierra Wireless (8.1%), and Beck IPC (6.7%) being in the lead. With 61,335 services (27.8%), industrial network devices (including 41,968 industrial routers and 12,024 industrial gateways) are the most widespread type of components available on the Internet, followed by PLCs with 33,080 services (14.9%), and SCADA with 22,624 services (10.3%).
According to Kaspersky, many of the remotely available ICS components use insecure protocols, which increases their exposure. The researchers also estimate that the total number of vulnerable ICS hosts is of 172,982 (92%), and reveal that multiple industries are affected by these security issues (including 1,433 large organizations belonging to industries such as electricity, aerospace, transportation, oil and gas, and many others).
“The above results are only lower bound estimations, and real number of available ICS components associated with significant risks could be much higher,” Kaspersky Lab researchers say. “Nowadays, ICS owners should be aware of modern vulnerabilities and threats, and actively improve the security of their ICS environments based on this knowledge. Here, active vendor support is crucial for the prompt identification and remediation of vulnerabilities in ICS products, as well as for sharing workarounds to protect systems before patches are released.”
“There is no 100 percent guarantee that a particular ICS installation won’t have at least one vulnerable component at any single moment in time,” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab. “However, this doesn’t mean that there is no way to protect a factory, a power plant, or even a block in a smart city from cyber-attacks. Simple awareness of vulnerabilities in the components used inside a particular industrial facility is the basic requirement for security management of the facility.”
“Many older Industrial Control Systems are retrofitted to be accessible via the Internet, but security is unfortunately little more than a password sometimes and the older operating systems dominating this sector are susceptible to hacks,” commented Michael Patterson, CEO and Founder of Plixer. “A better strategy is to head-end the ICS with a device that is designed to make Internet connections secure (e.g. dual factor authentication). Secondly, configuration changes should require multiple people to confirm via mobile device. This is especially important when dealing with critical infrastructure elements like nuclear power or water treatment facilities–something as vital as controlling chemical levels in tap water should be far more secure.”