ICS Security Plagued with Basic, Avoidable Mistakes

At least 33 percent of the security issues found in industrial control systems (ICS) are rated as being of high or critical risk.

FireEye iSIGHT Intelligence compiled data from dozens of ICS security health assessment engagements performed by its Mandiant division, and found that these issues include unpatched vulnerabilities (32 percent); password issues (25 percent); and problems with architecture and network segmentation (11 percent).

In other words, ICS environments riddled with basic security snafus, meaning that the main security risks are eminently avoidable using best practices. However, these organizations have unique challenges that have contributed to their poor security posture.

“ICS used to be on separate networks and now they are connected more to IT networks,” Chris Sistrunk, principal consultant at Mandiant, told Threatpost. “Also, when ICS were designed 20-plus years ago, cybersecurity threats weren’t an issue. And, a lack of ICS security incidents at companies means there’s not much security budget.”

Vulnerabilities, Patches and Updates

Known vulnerabilities in ICS environments remain a scourge, according to the data. Mandiant found that most organizations have infrequent procedures for patching and updating control systems; and it encountered organizations with no formal vulnerability and patch management programs at all.

This translates to out-of-date firmware, hardware and operating systems, including: network devices and systems such as switches, firewalls and routers; desktop computers, cameras and programmable logic controllers; unsupported legacy operating systems such as Windows Server 2003, XP, 2000, and NT 4; and unaddressed known vulnerabilities in software applications and equipment where patches are available.

“We observed outdated firewalls with up to 53 unaddressed vulnerabilities and switches with more than 200 vulnerabilities,” the firm said in its report on the state of ICS security released on Thursday.

Identity and Access Management

The second most common category of security issues identified was related to the flaws in or absence of best practices for handling passwords and credentials. Common weaknesses identified by Mandiant include: Lack of multifactor authentication for remote access and critical accounts; and weak passwords with insufficient length or complexity used for privileged accounts, ICS user accounts and service accounts.

The team also found a laundry list of classic password missteps. It found passwords that were not changed frequently; passwords being reused for multiple accounts; prominently displayed passwords written on the chassis of devices; and hard-coded and default credentials in applications and equipment.

Network Segregation and Segmentation

Meanwhile, Mandiant found a rampant lack of segregation from the corporate IT network and within the ICS network – which allows threat actors opportunities to launch remote attacks against key infrastructure by moving laterally from IT services to ICS environments.

The main risks in this group identified by Mandiant included: Plant systems accessible from the corporate network; industrial networks connected directly to the internet; unfiltered access to plant servers from corporate networks; missing segmentation between ICS and corporate networks; vulnerabilities in bridge devices that can enable lateral movement between networks; and data backups and antivirus updates running on shared control system networks.

Additional common risks were identified from other categories, but with less frequency; these included the lack of network security monitoring, intrusion detection and intrusion prevention in organizations, including missing endpoint malware protection; leaving unused ports active; and having limited visibility into ICS networks.

“Known vulnerabilities continue to represent significant challenges for ICS owners that must oversee the daily operation of thousands of assets in complex industrial environments,” the report pointed out. “It is also relevant to highlight that some of the most common risks we identified could be mitigated with security best practices, such as enforcing a comprehensive password management policy or establishing detailed firewall rules.”

Attackers know these environments aren’t necessarily well-protected. Accordingly, there are various types of common threat activity impacting ICS, according to Nathan Brubaker, manager of the Cyber-Physical Intelligence Team at FireEye. These include ransomware and cryptojacking/cryptomining malware infections, typically of Windows-based machines; and threat actors selling virtual access to ICS/SCADA.

Yet, on the targeted front, threat actor reconnaissance activity targeting ICS systems (or ICS information on IT systems is much less common, he said; and, the infection of ICS systems with custom ICS malware (as seen in the case of TRITON or the Stuxnet worm used to shut down Iran’s nuclear facilities) is very rare — despite frightening headlines.

TRITON came on the scene in December 2017, when it was reported that a Middle Eastern oil and gas petrochemical facility had undergone a safety system shutdown as the result of a malware attack. The malware directly interacted with and controlled a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.

“There are only a handful of examples of targeted attacks against ICS specifically, with most incidents involving collateral infection of ICS,” said Brubaker. “The later typically involves commodity malware that happens to infect an ICS component running Windows (e.g., a human machine interface (HMI)) resulting in damage or downtime.”

He cited the example of a top iPhone supplier, Taiwan Semiconductor Manufacturing Company, shutting down several facilities as a result of a collateral Wannacry infection – the downtime and recovery costs were expected to hit $250 million after it halted its production lines for two days in August.

“One thing that likely keeps the number of targeted attacks against ICS low is that a threat actor needs to be willing to cause physical damage against equipment and potentially humans,” said Brubaker. “Additionally, while there are more and more resources available to threat actors interested in targeting ICS specifically, they still need significant skills, expertise, and resources to carry out a targeted attack against ICS (especially when you get to the TRITON level).”

Meanwhile, Sistrunk told us that despite the statistics, there are drivers that have contributed to significant progress being made in becoming more secure.

“The electric sector, nuclear sector and chemical sector face US cybersecurity regulation and mandates,” he pointed out. “Also, major ICS vendors now have security teams, and security patches are made available on newer equipment.”