There’s no doubt that by now CISOs in organizations with industrial control systems (ICS) that connect to the Internet are well aware of the possibility they can be used as an attack vector. However, the number of vulnerabilities discovered increases every year. At the same time architectures with older systems with unsupported are harder to fix unless the network is completely overhauled.
Some firms make the problem worse by improperly configuring their devices and allowing them to connect to the Web when there’s no need.
This has come into sharper focus with the release today of reports on the ICS landscape from Kaspersky Labs, which warns organizations they can no longer put safety ahead of security when it comes to industrial control systems.
For real-world proof you only need to look at the attack last December on Ukraine’s Prykarpattya Oblenergo power utility with the BlackEnergy trojan, which at cut power for several hours to 1.4 million people.
ICS systems are the industrial side of the Internet of Things, with control devices found in electrical, energy and water utilities, machine factories, pharmaceutical manufacturing production lines, hospitals, municipal street signals and airports.
Through a search of Internet-facing interfaces with the Shodan search engine, Kaspersky recently found 220,668 ICS components on 188,019 hosts in 170 countries. Of those Kaspersky found 13,033 vulnerabilities on 11,882 hosts (6.3% of all hosts with externally available components). The most widespread of them were the Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), and critical vulnerabilities CVE-2015-1015 and CVE-2015-0987 in Omron CJ2M PLC.
(Top five vulnerabilities on ICS components. Kaspersky graphic)
In addition, Kaskspersky found 91 per cent of all the ICS components use open and insecure by design protocols such as HTTP, Niagara Fox, Telnet, EtherNet/IP, Modbus, BACnet, FTP, Omron FINS, Siemens S7 and many others. These protocols could be used for man-in-the-middle attacks, says the report.
“Combining these results with statistics of usage of insecure protocols, we were able to estimate the total number of vulnerable ICS hosts as 172,982 (92%).” says the report.
Most of the remotely available hosts with ICS components are located in the United States (30.5%) and Europe. Canada was fifth with 5,413, almost twice as many as Britain. Those devices (or modules of them) came from 133 different vendors including Tridium Inc. (11.1%), Sierra Wireless of Richmond, B.C. (8.1%), and Beck IPC (6.7%).
What’s worrying is the number of ICS-related vulnerabilities is increasing. Last year 189 were found, up from 181 in 2014 and 158 in 2013 (although 2012 was a banner year with 192). Of those 189 found last year there are 26 known exploits published.
It is true, as Kaspersky notes, that patches and new firmware are are available for 85 per cent of the published vulnerabilities found in 2015. However, most of the unpatched vulnerabilities (14 out of 19) are high level risks, including the 11,904 remotely available SMA Solar Sunny WebBox interfaces that are under risk of compromise though hard-coded passwords.
Public Safety Canada has a five year national strategy for critical infrastructure which runs to 2017. “Improving the resilience of Canada’s critical infrastructure will always be a work in progress,” it notes in part. “It will never be possible to protect against every threat or hazard and mitigate against every consequence; it is also important to improve the ability to respond to and recover from incidents when they occur.” It’s time for a report on the progress of that plan.