Pierluigi Paganini
June 09, 2014
Do you have exposed your Industrial control system (ICS) on the Internet?
“If ICS is connected to the Internet, it comes with an almost 100% guarantee of its being hacked on the first day” E. Kaspersky
I used the reply of the Founder of security firm Kaspersky Lab to give you an idea of the concrete risks for the numerous ICS exposed on the Internet. Hackers, cyber criminals, state-sponsored hackers and other bad actors can hit any industrial system without specific knowledge.
In 2013 ICS-CERT received 181 vulnerability reports from researchers and ICS vendors, 177 were true vulnerabilities, 87 percent were exploitable remotely while the other 13 percent required local access to exploit the flaws.
A search engine like Shodan, a specific exploit easily available on an underground forum and an anonymizing tool to avoid detection could be sufficient to compromise a system in a critical infrastructure.
In many cases control systems have to be accessible directly from the Internet, this means that they are exposed to risk of cyber attacks, probes, brute force attacks, attempts and unauthorized access and scanning are the events most frequent events.
“Internet facing devices have become a serious concern over the past few years with remote access demands giving way to insecure or vulnerable configurations. Tools, such as SHODAN, Google and other search engines, enable researchers and adversaries to easily discover and identify a variety of ICS devices that were not intended to be Internet facing.” reports the last ICS-CERT Monitor (Jan-Apr 2014)
According ICS-CERT, in many cases devices are not adequately configured, adversary with increasing capabilities could benefit by poor security design of targeted architectures.
“Most recently, ICS-CERT received reports of three new cyber incidents that resulted from weak network configuration and/or lack of perimeter security. Two of those incidents involved intrusions by unauthorized parties, and the other was identified as vulnerable
by a researcher. In the majority of these cases, the system owners are unaware of the nonsecure configurations or the associated risk.” states the last ICS-CERT Monitor
The ICS-CERT reported that a public utility was recently compromised, a threat actor gained unauthorized access to its control system network, the investigation demonstrated that the system was exposed on the Internet without a strong authentication mechanism. After notification of the incident, forensics experts discovered that the system was already compromised in the past.
The document proposes other cases, including a Sochi Arena HVAc system exposed to the Internet discovered by Billy Rios, a researcher at Qualys, which has provided information related to HVAC and Energy Management System (EMS) associated with the Olympics Games in Russia.
This system was reported to lack authentication requirements to access the control system. The researcher worked with the system integrator to reconfigure the system prior to the Olympics and opening ceremonies.
How to protect ICS?
ICS-CERT recommends adopting defensive action to secure ICSs by using defense-in-depth principles, below the principal suggestions to minimize the risk of exploitation:
(Security Affairs – ICS, critical infrastructure)
