By Gregory Hale
It is very easy to get caught up in the hype and hysteria surrounding cybersecurity and not understand facts behind a barrage of data. In the end, it is all about context.
That idea comes into play after a report released earlier this week saying the amount of industrial control systems (ICS) now accessible over the Internet increased over the previous year.
Using the Shodan, Censys and Google search engines, Positive Technologies researchers identified 175,632 ICS-like components accessible from the Web. Similar researcher conducted the year before found over 162,039 systems.
Of all the systems identified in 2017, 66,587 were accessible via HTTP, followed by the Fox building automation protocol at 39,168.
The highest percentage of exposed devices, at 42 percent, was in the United States, according to the report.
The number of Internet-accessible ICS components in the U.S. increased to 64,287, followed by Germany with 13,242, France with 7,759, Canada with 7,371, Italy with 5,858, and China with 4,285.
ICS security experts were not impressed with that data after the took a closer look, but a few messages did come out of the report.
“I do not believe the amount of ICS devices is going up. I believe it is going down,” said Joel Langill, director of ICS Cyber Security Services at AECOM – Management Services. “There is likely a basic misinterpretation of data.”
The report said leading industrial systems connected to the Web come from Honeywell with 26,813, Lantronix with 12,120, SMA with 9,399, Beck IPC with 9,362, Siemens with 6,069 and Rockwell Automation 5,594.
“There just might be more ‘SCADA’ components accessible from the web these days — it is hard to say,” said Eric Byres, security expert and chief executive at aDolus Inc. “However, they won’t be true ICS — i.e. tier-1 PLC, DCS or SIS components running at major companies. Rather, it is small stuff in small-scale so-called ICS systems. For example, I see that HTTP and the Fox building automation protocol (i.e. Honeywell’s Niagara/Tridium) account for 65 percent of the discovered protocols. Those protocols don’t indicate true ICS, but rather the world of building automation, IoT and minor automation projects.
“The vendor and product tables show the same thing — Niagara/Honeywell and Lantronix dominate and the real ICS like Rockwell or Schneider Electric are minor percentages. I’m willing to bet that even those ICS devices are mostly micro-PLCs being used in irrigation or building automation and in not heavy industry applications.
Security Not Thought Out
“What this tells me is not that the core security of the industrial ICS world is getting worse, but rather connected edge devices in related industries like building automation, water management or access management are flooding onto the market. The security of these ‘secondary’ deployments are not being well thought out. So, the bad guys can’t suddenly see and hack more industrial DCS, but they have lots of poorly designed IoT targets to choose from instead.
“This is the Achilles heel of the IoT and IIoT world — we are making everything from power drills and video cameras to coffee makers ‘web connected’ without considering the security implications. Sure, it is wonderful that I can remotely connect to my offices security cameras over the web, but who else have I just let do the same thing?” Byres asked.
The report appeared to be an indicator of an increase in IoT or IIoT connectivity which could increase the amount of devices connected to the Internet.
“I do believe that the widespread adaptation of IoT devices will make a difference, I am just concerned that someone might misclassify an IoT device for an IIoT device – as in the case of a Lantronix serial-to-Ethernet converter,” Langill said. “If you do not know what the device is connected to, how can you classify it as ICS or not? This is like saying that all Windows devices are non-ICS classified. We know that is not a true statement, so why not use the same logic for embedded devices.”
Visible on Net
Whether the devices were ICS or some other industry the fact is they were out there on the Internet and visible.
“I have no way to refute or affirm these findings, nor do I have reason to doubt them,” said Eric C. Cosman, contributing consultant with ARC Advisory Group. “I suppose that some of the change may be the result of ‘looking harder’ with better search strings and criteria. Just as with Google, you probably find more information if you know exactly what to look for. That said, I wouldn’t be surprised if more systems are being connected. This could be a result of any number of things, including:
• Increased pressure to grant remote access for support purposes, perhaps combined with assurances from the service provider that they have adequate security in place. After all, visibility does not necessarily equate to access. The latter can only be confirmed by penetration testing.
• Lack of critical assessment and review of newly installed devices or systems. Some people may have this connectivity without even realizing it.”
Langill feels security on Internet-connected devices is suspect.
“This is not to say that a lot of ICS devices are being connected to the Internet that should not be,” Langill said. “The basic definition of ‘security’ varies widely from vendor to vendor, and someone might offer a ‘secure remote access’ solution and only offer basic password authentication security or maybe a TLS/SSL connection. I am beginning to see more and more packaged solutions on the Internet with minimal security enabled. I would like to see more people incorporate basic cyber security requirements into their purchasing documents. The ‘Cyber Security Procedure Language for ICS’ by DHS/ICS-CERT is a wonderful starting point.”
While the numbers are higher this year, there is no doubt the rate will increase in years to come because connectivity is just going to increase because the benefits far outweigh the negatives.
“Enterprise-wide digitalization and Industrie 4.0 initiatives necessarily require connectivity to the Internet for tight integration between sensors and smart computers,” said Eddie Habibi, chief executive and founder of PAS, Global. “Meanwhile, cyber attackers are becoming more sophisticated and the frequency of attacks are on the rise. (This all) poses a serious risk to industrial safety and profitability that must be addressed as the wave of digital manufacturing transformation evolves. But cybersecurity is a risk we should manage and not fear. We must not abandon progress in the face of cyber threats. I don’t believe the threat of cybersecurity is going to stand in the way of digitalization and smart manufacturing. It is just another hurdle to overcome. Just like any other risk, we must understand it, take decisive measures to protect against it, and make security awareness a part of our culture as we have done so effectively with safety.”
Not falling for the hype and understanding data and putting it in the proper perspective should be the way to go for manufacturing automation professionals.
“Lessons learned from safety incidents in the late 1980s and the subsequent industry best practices and regulations like OSHA 1910.119 can serve as successful models for addressing the cybersecurity challenge,” Habibi said. “With that said, what makes cybersecurity a greater challenge than safety is that with safety you do not have outside actors maliciously attacking your operations.”
Gregory Hale is the Editor/Founder of Industrial Safety and Security Source (ISSSource.com).