Much of our critical infrastructure, such as chemical plants and electricity grids, is controlled by devices known as industrial control systems, or ICS. Many of these systems are decades old and suffer from cybersecurity vulnerabilities that could put millions of people at risk.
The issue of ICS vulnerabilities is so important to U.S. national security that the Department of Homeland Security has set up an office just to track security holes in these systems – the ICS Cyber Emergency Response Team. (That's on top of newly-created US Cyber Command.)
Not only is DHS interested in ICS security flaws, so are security firms like Kaspersky Lab. In fact, Kaspersky just released a report that found 189 unique vulnerabilities in ICS components last year. Kaspersky has issued this annual report tracking ICS vulnerabilities every year since 2010, when it only found 19 vulnerabilities.
Kaspersky attributed the marked rise in vulnerabilities over the five-year period to the fact that many more of these devices are now being linked to the Internet, which gives attackers remote access to these once isolated systems.
Using the Shodan search engine, Kaspersky researchers were able to find 220,558 Internet-facing ICS components located on 188,019 hosts in 170 countries. Close to one-third of these hosts are located in the United States and Europe. The researchers estimated that 92 percent of these ICS hosts are vulnerable to cyberattack.
Many of these remotely accessible ICS components use open and insecure protocols, such as HTTP, Nigara Fox, Telnet, EtherNet/IP, Modbus, BACnet, FTP, Omron FINS, and Siemens S7, the reported related.
Industries that use these vulnerable ICS devices to control their processes include electricity, aerospace, transportation, oil and gas, metallurgy, chemicals, agriculture, automotive, utilities, food manufacturing, construction, liquid storage tanks, and smart cities.
In addition, owners of vulnerable ICS devices include hospitals and other medical facilities, police, financial firms, and colleges and universities.
Ukraine power grid goes down
The report stressed that these vulnerabilities can have a wide impact if exploited by attackers. For example, last year, attackers took down a power grid in western Ukraine after exploiting vulnerabilities in the ICS devices used by the power company in that region. The attackers were able to take down 30 power substations and shut off power to 225,000 residents, explained a report on the incident by the SANS Institute and other groups.
“The attackers demonstrated a variety of capabilities, including spearphishing emails, variants of the BlackEnergy3 malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold into the Information Technology (IT) networks,” the report explained.
“They demonstrated the capability to gain a foothold and harvest credentials and information to gain access to the ICS network. Additionally, the attackers showed expertise, not only in network connected infrastructure; such as Uninterruptable Power Supplies (UPSs), but also in operating the ICSs through supervisory control system; such as the Human Machine Interface (HMI),” the report added.
The attack on the Ukraine power grid was part of a broader effort targeting energy infrastructure known as BlackEnergy advanced persistent threat campaign.
Water firm has leaky security
In addition, Verizon its 2016 Data Breach Digest report described an attack against an unidentified water company, which it called the Kemuri Water Company, in which attackers were able to change the levels of chemicals used to treat tap water by exploiting vulnerabilities in an external system that managed the valves and ducts controlling the flow of water and chemicals through the system.
Despite assertions by the company management that no unauthorized access had taken place on its systems, Verizon found that a pattern of unexplained valve and duct movements had occurred over the previous 60 days. The movements were caused by manipulation of the programmable logic controllers that managed the chemicals used to treat the drinking water.
Inexplicably, the company used only one system, an IBM AS400, to control hundreds of PLCs and to house customer personal and billing information, as well as its financial information. And only one employee knew how to operate the AS400!
Verizon found that attackers had used the customer-facing payment application to breach the company’s payment and billing system and steal personal and financial information on up to 2.5 million customers. They then used the credentials from the payment application to access the valve and control system application.
The breach was “serious and could have been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA [supervisory control and data acquisition system], KWC and the local community could have suffered serious consequences,” the report said.
“Many issues like outdated systems and missing patches contributed to the data breach--the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible,” the report concluded.
DHS warns of security holes
The problem has become so severe that the DHS’s ICS-CERT office has begun regularly issuing advisories on ICS vulnerabilities. For example, the week of July 10-16, ICS-CERT sent out a total of six security advisories. In one advisory, DHS warned about a Schneider Electric security camera management system with hard-coded credentials that could enable an unsophisticated attacker to gain access to the system remotely.
In another advisory, ICS-CERT cautioned that a Tollgrade smart grid sensor management system used in electricity distribution has vulnerabilities that could be exploited remotely. “An attacker who exploits these vulnerabilities may be able to restart the system, brute force a login, or change privileged parameters,” the advisory explained.
Yet another advisory identified a security vulnerability in GE’s Proficy HMI/SCADA-CIMPLICITY product, a client/server-based human-machine interface/SCADA application. Exploits for the vulnerability, which could allow an attacker to launch executable code on the system, are publicly available, the advisory warned.
As can be seen by these reports and advisories, our critical infrastructure remains vulnerable to cyberattacks, putting at risk not only the employees but also millions of customers.
Unfortunately, the Verizon case study highlights how clueless some of these companies are when it comes to basic cybersecurity. Let’s hope that more critical infrastructure companies and agencies wake up to the risks they face from cyberattackers and take steps to secure their systems. Failure to do so could have catastrophic consequences.