To minimize the possibility of a digital attack, Industrial Control Systems (ICS) are supposed to "run" in a physically isolated environment. However, this is not always the case. In their report on the threat landscape facing ICS, Kaspersky Lab experts revealed 13.698 ICS hosts exposed to thenetwork and it appears that they most likely belong to large organizations.
These organizations are in areas such as energy, transport, aerospace, oil and gas, chemicals, automotive, manufacturing, food and beverages, government agencies, financial institutions, health organizations. The 91,1% of these ICS hosts have vulnerabilities that can be exploited remotely.
But the worst is not: The 3,3% of the ICS hosts in these organizations contain critical and remote executable vulnerabilities.
The exposure of ICS data on the Internet provides many opportunities, but also many safety concerns. On the one hand, linked systems are more flexible in terms of rapid response to critical situations and the implementation of renewed versions. On the other hand, Internet expansion gives digital criminals the opportunity to remotely control the most important elements of ICS, which can lead to physical damage to the equipment, as well as potential risk to the entire critical infrastructure.
Sophisticated attacks on ICS systems are nothing new. In 2015, an organized group hacker by name BlackEnergy APT attacked an electricity company in Ukraine. In the same year, two more incidents, supposedly related to digital attacks, were reported in Europe: a steel workshop in Germany and the airport Frederic Chopin in Warsaw.
More attacks of this kind will arise in the future, as the field of attack is large. These 13.698 hosts, located in 104 countries, are only a small part of the total number of ICS-enabled hosts available over the Internet.
To help organizations working with ICS systems to identify potential weak points, Kaspersky Lab experts conducted an investigation into ICS threats. Their analysis was based on OSINT (Open Source Intelligence) and information from public sources, such as ICS CERT, with the research period being limited to 2015.
The main findings of the exhibition "The Landscape of Threats in Industrial Control Systems" are:
- Overall, 188.019 hosts have been detected with ICS data available over the Internet in 170 countries.
- Most of the remotely available ICS-based servers are located in the United States. (30,5% - 57.417) and in Europe. In Europe, Germany is the leader (13,9% - 26.142 servers), followed by Spain (5,9% - 11.264 servers) and France (5,6% - 10.578 servers).
- The 92% (172.982) of the remote ICS servers available have vulnerabilities. 87% of these hosts contain medium-risk vulnerabilities, and 7% of these contain critical vulnerabilities.
- The number of vulnerabilities in ICS data has increased tenfold over the past five years: from 19 vulnerabilities 2010 to 189 2015. The most vulnerable ICS elements were Human Machine Interface Systems (HMI), Electrical Devices and SCADA systems.
- 91,6% (172.338 Different Servers) of all external available ICS devices uses weak Internet protocols, which gives attackers the ability to run man-in-the-middle attacks.
"Our research shows that the larger the ICS infrastructure, the more likely it is to have serious 'holes' in the comeye of security. This is not the fault of the software or its vendor hardware. Από τη φύση του, το περιβάλλον ICS είναι ένα μείγμα διαφορετικών, αλλά αλληλένδετων συνιστωσών, πολλές από τις οποίες είναι συνδεδεμένες στο Διαδίκτυο και περιέχουν θέματα ασφάλειας. Δεν υπάρχει 100% εγγύηση ότι η συγκεκριμένη εγκατάσταση ICS δεν θα παρουσιάσει ένα τουλάχιστον ευάλωτο στοιχείο σε κάποια χρονική στιγμή. Ωστόσο, αυτό δεν σημαίνει ότι δεν υπάρχει τρόπος για να προστατευτεί από τις ψηφιακές επιθέσεις ένα εργοστάσιο, μια μονάδα παραγωγής energy or even a block in a "smart" city.
Simple briefing on the vulnerabilities of data used in a particular industrial facility is the basic prerequisite for managing plant safety. This was one of the reasons that led us to develop our report: To help raise awareness among all concerned about the issue, said Andrey Suvorov, Head of Critical Infrastructure Protection of Kaspersky Lab.
To protect the ICS environment from possible digital attacks, Kaspersky Lab's security experts recommend the following:
- Perform a security check: the call for industrial safety experts is perhaps the quickest way to identify and eliminate the security gaps described in the report.
- Request external expertise: Today, the security of IT infrastructures is based on the knowledge of potential attackers. Access to trusted vendor information helps organizations anticipate future attacks on the company's industrial infrastructure.
- Provide protection inside and outside the perimeter: Errors happen. A proper security strategy must have significant resources to detect and respond to attacks, and to prevent an attack before it reaches critical and important items.
- Evaluate advanced protection methods: A default Deny scenario for SCADA systems, regular integrity checks for auditors, and specialized network monitoring can help increase overall company security and reduce the chances of a successful violation, even if some inherently vulnerable nodes can not be patched or removed.
The full report on "Landscape of Threats in Industrial Control Systems" is available on the website Securelist.com.