There are at least 100,000 industrial control systems (ICS) exposed to the public Internet around the world, controlling a host of critical operational technologies (OT) like power grids, water systems, and building management systems (BMS). While that’s a big number, researchers note that quantifying true cyber-risk from that exposure means examining which protocols the gear uses.
In a recent analysis, researchers from cyber-risk handicapper Bitsight reached the 100,000 number by inventorying reachable devices that use the top 10 most popular and widely used ICS protocols (including Modbus, KNX, BACnet, Niagara Fox, and others.)
They determined that the exposed ICS footprint represents a ripe target for cyberattackers, and thus a global risk to physical safety in least 96 countries. The risk is not theoretical, as malware built to subvert power grids and incidents like the Colonial Pipeline hack show.
“These ICS devices are used to control much of the physical infrastructure in our society, from traffic lights to vaccine production,” according to a recent report from the firm. “Disruption of these systems could lead to significant business disruption, threats to human safety, data and intellectual property (IP) compromise, national security threats, and more.”
Pedro Umbelino, principal security researcher at Bitsight, notes that there are few, if any, reasons for this type of equipment to be directly reachable via the Internet, so the risk level seems like a soluble problem.
“The systems we identified as Internet-facing could be due to misconfigurations, or neglect of best practices,” he explains. “Typically, attackers scan for Internet-facing systems and then gather information to determine if that system has a vulnerability. So if systems are behind a firewall or otherwise not Internet facing, then much of the risk of exploitation is mitigated.”
No Standard Protocol: ICS Communications Guide Risk Assessment
Understanding risk within ICS environments takes more than simply determining how many devices are reachable from the Internet. Specifically, the use of different protocols can be important clues in determining where cyberattackers might be probing for weaknesses.
“Some protocols we explored lack security measures, like basic authentication, leaving the devices pretty much open to anyone,” he says.
He adds that other protocols have attributes that can help attackers perform target reconnaissance.
“Other protocols are very verbose, clearly indicating the brand, model, and version of the device, hugely simplifying an attacker’s task to search for readily available exploits,” Umbelino explains. “The adoption of different protocols indicates different devices are present in an organization’s exposed surface. This implies different vendors, different supply chains, [and] different software running.”
Organizations should also be aware that tailoring attacks by protocol also could help with geotargeting. Bitsight pointed out that exposed industrial control systems using CODESYS, KNX, Moxa Nport, and S7 are largely concentrated in the European Union (EU). Meanwhile, exposed systems using ATG and BACnet largely reside in the US. Modbus and Niagara Fox on the other hand are present globally.
The takeaway is that ICS-owning organizations can inventory their protocol use, and use that as a variable to identify risk and inform their OT/ICS security strategies, Umbelino says. For instance, it may not always be practical to reconfigure an entire critical infrastructure environment to eliminate Internet-facing points, so knowing where to focus first can be invaluable.
Industry 4.0 Builds a More Secure Future
While Bitsight’s topline findings should signal a wakeup call for critical infrastructure stakeholders everywhere, it’s worth noting that the level of ICS exposure has actually declined over time, even amid the move to “smart” OT environments and more digitization. In 2019, the number of exposed ICS devices within the parameters of the study sat at nearly 140,000.
“Initiatives like CISA’s ‘Securing Industrial Control Systems: A Unified Initiative,‘ and general discussions that the security community have been having around the topic of ICS security might have contributed to lower exposure,” Umbelino postulates. “[And,] Industry 4.0 brought new technologies, but also other ways to interact with them (think about cloud environments, private networks, and other less reachable environments, for example) and more mature security programs.”
How to Improve ICS Security & Exposure
From a practical standpoint, owners of ICS environments can shore up their security by taking some common-sense steps, according to Bitsight:
“In a nutshell, as a rule of thumb: reduce exposure,” Umbelino says. “Industrial control systems do not belong on the public Internet. Use firewalls, configure access controls, take advantage of virtual private networks or any other mechanism that prevents the devices from being widely reachable.”