High number of ICS security vulnerabilities uncovered: report

CPO magazine has reported that a new report from Boston-based CyberX has uncovered an alarming number of Internet of Things (IoT) and industrial control system (ICS) security vulnerabilities in real-world networks.

Unlike other studies of ICS security, which typically rely on survey responses, this study analysed real-world traffic on 1800 production IoT/ICS networks. The overall takeaway from the report is that many ICS networks — such as those at oil and gas companies or at pharmaceutical companies — are soft targets for potential adversaries looking to take advantage of ICS security vulnerabilities.

Now in its third year, the CyberX report highlighted the primary security gaps and security risks that it found by analysing ICS network traffic. For example, in 62% of cases, CyberX found outdated operating systems that were not being updated, not being patched or not being supported anymore. This refers primarily to networks running outdated versions of Windows — something that security experts sometimes refer to as the ‘broken Windows’ problem.

The study also found that 64% of ICS networks used unencrypted passwords — a situation that can be easily exploited by hackers in any brute force attack. Another ICS security issue was the fact that 54% of ICS devices were remotely accessible, making them potential security issues. In 22% of ICS networks analysed, there was evidence of ‘clear and present dangers’, such as malicious network traffic or attempts to access unauthorised ICS devices. And, finally, in 66% of cases, there were no automatic antivirus updates.

The CyberX report on ICS security differentiated between ICS networks across a wide range of different industries. The goal was to see if certain sectors might be at greater risk of cyber attacks from malignant third-party threat actors. They ranked sectors on a scale of 0 to 100. 80 was the minimum passing mark for an ICS network, according to the CyberX security framework. Unfortunately, the average score for every sector studied failed to meet even this most basic threshold. For example, the oil and gas sector scored 74 out of 100, followed by electric utilities (70), manufacturing plants (63) and pharmaceutical and chemical companies (62). These are just average scores for entire industries, so some individual companies obviously surpassed the 80-point threshold, even if the sector performed poorly.

This difference in scores, said CyberX, can be accounted for by differing levels of regulatory oversight in these sectors. Take utilities, for example. Everyone knows that utilities are very tightly regulated, and that helps to explain why electric utilities tended to score higher than other sectors, said CyberX.

In coming up with its ICS security report findings, CyberX outlined both the types of adversaries posing the greatest risk to ICS networks, suggesting that adversaries can be divided into three main categories: nation-states, cybercriminals and hacktivists. Potentially the most dangerous of these adversaries from the perspective of ICS security are nation-states, which might have a military or strategic reason to attack another nation’s critical infrastructure and grid companies. Without basic safety defences in place — such as continuous ICS network monitoring — an electric utility might be at very high risk of cyber attack.

Image: ©stock.adobe.com/au/EtiAmmos