Recent CyberX report finds that plain-text passwords, direct internet connections, and weak anti-virus protections place industrial control systems at risk for cyber attacks
by Phil Neray, VP of Industrial Cybersecurity, CyberX
“Press Here to Kill Everybody,” the provocative title of Bruce Schneier’s new book, gets right to the heart of the risks involved in industrial cybersecurity. Destructive malware such as WannaCry and NotPetya, as well as targeted attacks such as TRITON and Industry, have shown the potential impact of cyber attacks on our industrial control systems (ICS). The costly production outages and clean-up costs alone put companies at great risk, but even those are overshadowed by the potential impact of catastrophic safety and environmental incidents.
Though positive steps have lately been taken to secure our ICSs, new data from CyberX, the IIoT, and ICS security company, finds that these systems are still soft targets for adversaries. The data behind our 2019 “Global ICS & IIoT Risk Report,” released on October 23, shows that major security gaps remain in key areas such as plain-text passwords, direct connections to the internet and weak anti-virus protection.
We also found the prevalence of Windows XP and other legacy Windows systems has decreased year-over-year — driven top-down by management in the aftermath of NotPetya’s financial damage — but we’re still finding unpatchable Windows systems in 53 percent of all industrial sites.
Unlike questionnaire-based surveys, our report analyzes real-world traffic from production ICS networks, making it a more accurate representation of the current state of ICS security. The report is based on data collected over the past 12 months from more than 850 production ICS networks, across six continents and all industrial sectors including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas.
Among the key findings of our report, we found that 69 percent of industrial sites have plain text passwords traversing the network. Lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials, making cyber-reconnaissance and subsequent compromise relatively easy.
Whether for convenience or inattention, 40 percent of industrial sites have at least one direct connection to the public internet. With digitization as a key business driver, operational technology (OT) networks are now also increasingly connected to corporate IT networks, providing additional digital pathways for attackers.
According to our findings, at least 57 percent of industrial sites are still not running any anti-virus protections that update signatures automatically, leaving the programs largely ineffective, and 16 percent have at least one Wireless Access Points (WAP). Misconfigured WAPs can be accessed by unauthorized laptops and mobile devices, and sophisticated malware such as VPNFilter target access points such as routers and VPN gateways, enabling attackers to capture MODBUS traffic, perform network mapping, destroy router firmware and launch attacks on OT endpoints.
As we continue to both assess past attack methods and the current state of our networks and vulnerabilities, a path towards remediation and protection becomes clearer. Not everything can be protected at once, but ruthless prioritization is required. In the report, we lay out a series of eight steps towards protecting an organization’s most essential assets and processes. These include continuous ICS network monitoring to immediately spot attempts to exploit unpatched systems before attackers can do any damage; threat modeling to prioritize mitigation of the highest consequence attack vectors; and more granular network segmentation.
Analyzing the data for the second time in two years also gave us an opportunity to compare data and look for trends, and perhaps the most important conclusion we reached after looking at the delta between last year’s report and this year’s report is that the delta itself is small, and the industry may not have changed much over the course of the past year. Other than the drop of industrial sites using legacy Windows systems from 76 percent last year to 53 this year, the rest of our data changed in relatively small increments.
In comparison to last year, where the median overall risk-readiness score across all industrial verticals was 61 percent, our latest research puts the score at 70 percent. These results, however, fall short of CyberX’s minimal recommended readiness score of 80 percent. With this year’s report, the risk-readiness score by industry is 67 percent for manufacturing, 68 percent pharmaceuticals and chemicals, 79 percent for energy and utilities, and 81 percent for oil and gas.
As these numbers suggest, awareness about the need for stronger ICS defenses is growing, but there’s still a lot of work to be done. When looking at the scope of the current ICS security situation and its many complexities, it bears remembering that we are attempting to close a 25-year gap between OT and IT security practices.
About the Author
Phil Neray, vice president of Industrial Cybersecurity, CyberX. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu. Phil can be reached on Twitter @ rdecker99.