Industrial cyber security continues to be poor, warns report

Unprotected industrial control systems (ICS) can be found by simply searching on Google or Shodan, according to a research report UK-based security firm Positive Technologies.

This is especially worrying in light of the fact that ICS components left exposed to the public internet is increasing every year, and that these components typically run factories, transport networks, power plants and other facilities.

The researchers found a nearly 10% increase to 64,287 in the past year of IP addresses for ICS components in the US, which along with the Germany, China, France and Canada have the largest number of internet-accessible ICS components.

Of the 175,632 internet-accessible ICS components detected, approximately 42% were in the US, followed by Germany with 13,242, France (7,759), Canada (7,371), Italy (5,858) and China (4,285).

The UK ranked 7th in 2017 with 4,240 internet-accessible ICS components detected, which is worse than countries like Spain, the Netherlands, Australia Belgium, South Korea, Norway and Sweden.

The research also noted that a growing number of internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented nearly 13% of detected components in 2017, up from 5.06% in 2016. Although these converters are often regarded as relatively unimportant, they can be quite useful for hackers, the researchers said, as has been seen in a number of high-profile attacks.

The most common software on internet-accessible ICS components is Niagara Framework components, which connect and enable management control over systems like air conditioning, power supplies, telecommunications, alarms, lighting, security cameras and other important building systems.

Another key finding of the report is the growing number of vulnerabilities in ICS components being reported by major suppliers, with this number up 71% from 2017 to 197. Over half of these vulnerabilities were of critical or high risk in nature, the report said.

A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways. This is especially worrisome, the report said, because network equipment is increasingly internet-connected and most reported ICS vulnerabilities can be exploited remotely without attackers needing to obtain privileges to access targeted systems.

In terms of the number of vulnerabilities publicly disclosed in 2017, the previous year's leader, Siemens, fell back to second place. The 47 vulnerabilities disclosed in Schneider Electric ICS products are almost 10 times as many as the number from the year before, while Moxa showed a growing vulnerability count with 36 in 2017 compared with 18 in 2016.

“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems are not more secure than they were ten years ago,” said Vladimir Nazarov, head of ICS security at Positive Technologies.

“Today, anyone can go on the internet and find vulnerable building systems, datacentres, electrical substations, and manufacturing equipment,” he said.