Online and vulnerable: Report shows the number of Internet-accessible Industrial Control Systems is increasing every year

Any advanced computer user can find unprotected industrial control systems simply by searching on Google or Shodan

The number of industrial control system (ICS) components - which run factories, transport, power plants and other facilities – left open to Internet access, is increasing every year. In Germany, for example, researchers found 13,242 IP addresses for ICS components, up from 12,542 in 2016. A new report from Positive Technologies – ICS Security: 2017 in Review – analyses these and other findings on ICS threats created by online accessibility and software vulnerabilities.

Advanced industrial countries, such as the U.S., Germany, China, France, and Canada, were home to the largest numbers of Internet-accesible ICS components. Of the 175,632 Internet-accessible ICS components detected, approximately 42% were in the U.S., representing a 10% increase over the previous year (from 50,795 to 64,287). This is a long stretch above second place, where Germany sits the second year in a row with 13,242 discovered.

The Positive Technologies research team also noted that more and more Internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.86% of detected components in 2017, up from 5.06% in 2016. Although these converters are often regarded as relatively unimportant, they can be quite useful for hackers, as has been seen in a number of high-profile attacks.

The most common software on Internet-accessible ICS components is Niagara Framework components. Niagara connects and enables management control over systems like air conditioning, power supplies, telecommunications, alarms, lighting, security cameras, and other important building systems. Software like this often contains vulnerabilities and beyond proof-of-concept, they’ve already been hacked in the wild.

Another key finding is the growing number of vulnerabilities in ICS components. The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these vulnerabilities were of critical or high risk in nature. A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways. This is especially worrisome because network equipment is increasingly Internet-connected. Further, most reported ICS vulnerabilities can be exploited remotely without hackers needing to somehow obtain privileges in order to access targeted systems.

In terms of the number of vulnerabilities publicly disclosed in 2017, the previous year's leader, Siemens, fell back to second. The 47 vulnerabilities disclosed in Schneider Electric ICS products are almost ten times as many as the number from the year before (5). Moxa also showed a growing vulnerability count with 36 in 2017 compared to 18 in 2016.

“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment,” said Vladimir Nazarov, Head of ICS Security at Positive Technologies. “ICS attacks can mean much more than just blackouts or production delays—lives may be at stake. This is why it's so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernize them in a timely manner.”

The report offers guidelines for improving ICS security. Basic measures that can be taken immediately by organizations include: (1) separating operational networks from the corporate LAN and external networks (such as the Internet); (2) diligently installing security updates, and (3) regularly auditing the security of ICS networks in order to identify potential attack vectors.

The full version of the report is available at the following link