73 percent of industrial networks are vulnerable to hackers
The industrial control systems (ICS) used to run equipment in manufacturing, energy, and other sectors are secured differently from office networks. Vulnerabilities often go unpatched, because organizations are afraid to make changes that might cause downtime.
To minimize the chances of exploitation of vulnerabilities, measures put in place include placing ICS components on a separate network, isolating them, or air-gapping them entirely from Internet-connected corporate systems. However, penetration testing performed by Positive Technologies has shown that such measures often fall short in practice, leaving attackers plenty of opportunity to access critical equipment.
In tests, attackers were able to penetrate the network perimeters of 73 percent of industrial organizations. At 82 percent of those tested, it was possible to gain a foothold and use it to access the broader industrial network, which contained ICS equipment.
One of the easiest ways to gain access to industrial networks is to make use of remote desktop access. Administrators at industrial companies often enable this so that they can remotely administer devices from their offices, rather than making site visits. At every industrial company where network penetration was successful flaws in segmentation or traffic filtering were present. In 64 percent of cases, these flaws were introduced by administrators and involved remote desktop access.
"Security is not just a technical problem, but an organizational one," says Paolo Emiliani, industry and SCADA research analyst at Positive Technologies. "On average, each company we tested had at least two penetration vectors. A company might have a number of facilities very far apart from each other, with only a handful of security staff to go around. This puts security staff in a difficult position: they have to enable remote desktop access to get their job done, even though this opens security holes."
The most common vulnerabilities found on corporate networks were dictionary passwords and obsolete software, detected at all the tested companies. Such flaws can make it possible for attackers to escalate attacks, giving them maximum domain privileges and control over the entire enterprise infrastructure.
The full report is available from the Positive Technologies website.