Industrial control systems offer a soft target for attackers
Security gaps in key areas such as plain-text passwords, direct connections to the internet, and weak anti-virus protections are leaving industrial control systems vulnerable to attack according to a new report.
The study from ICS security company CyberX also shows that although the use of Windows XP has declined over the last year there are still older, unpatchable, Windows systems in slightly more than half of all industrial sites.
The CyberX report is based on analyzing real-world traffic from production ICS networks, making it an accurate representation of the current state of ICS security. The report is based on data captured over the past 12 months from more than 850 production ICS networks across six continents and all industrial sectors including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas.
Among the findings are that 69 percent of industrial sites have plain text passwords traversing the network. This plus a lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials, making cyber-reconnaissance and subsequent compromise relatively easy.
Whether for convenience or through inattention, 40 percent of industrial networks continue to be connected to the public internet. With digitization as a key business driver, operational technology (OT) networks are now also increasingly connected to corporate IT networks, providing additional digital pathways for attackers. 16 percent have at least one wireless access point that if misconfigured could lead to unauthorised access.
A worrying 57 percent of ICS systems are still not running any anti-virus protections that update signatures automatically. In addition 53 percent of sites have outdated Windows systems like XP that no longer receive security patches from Microsoft.
"We're not here to create FUD, but we think it’s important for business leaders to have a data-driven view of ICS risk so they can ask the right questions," says Dan Shugrue, senior director of industrial cybersecurity for CyberX. "We're definitely making progress in reducing ICS risk, but we have a long way to go. Reducing ICS risk is a journey -- most of these ICS networks were designed decades ago, long before cybersecurity was a key design priority."
You can find out more in the full report, available from the CyberX website.