Control networks are easy targets for adversaries, suffering from exposure to the public Internet making it trivial to traverse using simple vulnerabilities like plain-text passwords, researchers said.
The lack of even basic protections like anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces, said researchers in the Cyberx “Global ICS & IIoT Risk Report.”
CyberX used proprietary Network Traffic Analysis (NTA) algorithms to analyze traffic collected from 375 production OT networks over the past 18 months, across the U.S., Europe, and APAC. The networks span all sectors including energy & utilities, manufacturing, pharmaceuticals, chemicals, and oil & gas.
Among the findings in the report, it shows control networks are easy targets for adversaries:
• 1 out of 3 industrial sites are connected to the public Internet
• 3 out of 4 sites have legacy Windows boxes for which Microsoft is no longer providing security patches
• 60 percent have passwords traversing OT networks in plain-text
• 50 percent of industrial sites aren’t running any antivirus protection
• 82 percent are running remote management protocols (RDP, VNC, SSH, etc.), making it easier to perform cyber reconnaissance
As far as running a remote management protocol, it just means attackers on the OT network can remotely access and control other devices on the network via standard administration tools. Misconfigured wireless access points (WAPs) can also be leveraged as an attack vector, and one in five of the analyzed companies had at least one WAP.
CyberX also found 76 percent of analyzed industrial sites have machines running obsolete versions of Windows, such as Windows 2000 and Windows XP, on their OT networks. Windows devices and industrial systems such as programmable logic controllers (PLCs) had vulnerabilities in 28 percent of the cases.
In almost 60 percent of cases, CyberX has seen plaintext passwords crossing the network, allowing man-in-the-middle (MitM) attackers to obtain valuable information.
The analysis showed Modbus is the most widely used industrial protocol (58 percent), followed by Ethernet IP (28 percent), Siemens’ S7, OPC, OSIsoft PI and MMS.
There are a number of practical steps the report said organizations can take today to mitigate OT risk:
1. Providing security awareness training for plant personnel and enforcing strong corporate policies to eliminate risky behaviors like clicking links in emails, using USBs and laptops to transfer files to OT systems, and dual-homing devices between IT and OT networks.
2. Top-down organizational initiatives to break down barriers between IT and OT teams, such as temporarily assigning IT security personnel to OT organizations and vice-versa to understand the differences between IT and OT.
3. Using compensating controls and multi-layered defenses — such as continuous monitoring with behavioral anomaly detection — to provide early warnings of attackers inside your OT network, and to mitigate critical vulnerabilities that might take years to fully remediate.
4. Proactively addressing the most critical vulnerabilities via automated threat modeling.
Click here to register to download the report.