New report from Positive Technologies describes attack vectors against networks at industrial organizations
The industrial control systems (ICS) used to control equipment in manufacturing, energy, and other sectors are secured differently than office networks. Vulnerabilities that would have been fixed years ago on ordinary systems often remain untouched, because organizations are afraid to make any changes that might cause downtime. To compensate, these companies try to minimize the chances of exploitation of vulnerabilities; measures include placing ICS components on a separate network, isolating them, or air gapping them entirely from Internet-connected corporate systems. However, penetration testing performed by Positive Technologies has proven that such measures often fall short in practice, leaving attackers plenty of opportunities to access critical equipment. Today, Positive Technologies announced findings from its Industrial Companies: Attack Vectors research report.
In Positive Technologies tests, attackers were able to penetrate the network perimeters of 73 percent of industrial organizations. At 82 percent of those tested, it was possible to gain a foothold and leverage it to access the broader industrial network, which contained ICS equipment.
According to Positive Technologies, one of the easiest ways to gain access to industrial networks is to make use of remote desktop access. Administrators at industrial companies often enable this so that they may remotely administer devices from their offices, rather than making site visits. At every industrial company where network penetration was successful, segmentation or traffic filtering flaws were present. In 64 percent of cases, these flaws were introduced by administrators and involved remote desktop access.
The most common vulnerabilities on corporate networks were dictionary passwords and obsolete software, and these were detected at all tested companies. Such flaws often make it possible for attackers to escalate attacks, giving them maximum domain privileges and control over the entire enterprise infrastructure.
Surprisingly as well, files with system passwords were frequently stored on employee workstations.
Paolo Emiliani, Industry & SCADA Research Analyst at Positive Technologies, explained some of the contributing factors: "Security is not just a technical problem, but an organizational one. On average, each company we tested had at least two penetration vectors. A company might have a number of facilities very far apart from each other, with only a handful of security staff to go around. This puts security staff in a difficult position: they have to enable remote desktop access to get their job done, even though this opens security holes. Compounding the problem, different teams may share responsibility for securing their organizations’ network and industrial systems. In such cases, a lack of communication between teams can result in configuration errors where the two networks meet. A lack of processes usually leaves covering the unaddressed parts of the cybersecurity processes solely to humans, and humans make mistakes. Moreover, unsecured architecture with un-patched or un-patchable environments and no monitoring mechanisms combine to form a perfect storm for ICS insecurity."
A copy of the full research report can be downloaded here: https://www.ptsecurity.com/ww-en/premium/ics-attacks/
