Legions of critical-infrastructure devices subject to cyber targeting

There are at least 100,000 industrial control systems (ICS) exposed to the public Internet around the world, controlling a host of critical operational technologies (OT) like power grids, water systems, and building management systems (BMS). While that’s a big number, researchers note that quantifying true cyber-risk from that exposure means examining which protocols the gear uses.

In a recent analysis, researchers from cyber-risk handicapper Bitsight reached the 100,000 number by inventorying reachable devices that use the top 10 most popular and widely used ICS protocols (including Modbus, KNX, BACnet, Niagara Fox, and others.)

They determined that the exposed ICS footprint represents a ripe target for cyberattackers, and thus a global risk to physical safety in least 96 countries. The risk is not theoretical, as malware built to subvert power grids and incidents like the Colonial Pipeline hack show.

“These ICS devices are used to control much of the physical infrastructure in our society, from traffic lights to vaccine production,” according to a recent report from the firm. “Disruption of these systems could lead to significant business disruption, threats to human safety, data and intellectual property (IP) compromise, national security threats, and more.”

Pedro Umbelino, principal security researcher at Bitsight, notes that there are few, if any, reasons for this type of equipment to be directly reachable via the Internet, so the risk level seems like a soluble problem.

“The systems we identified as Internet-facing could be due to misconfigurations, or neglect of best practices,” he explains. “Typically, attackers scan for Internet-facing systems and then gather information to determine if that system has a vulnerability. So if systems are behind a firewall or otherwise not Internet facing, then much of the risk of exploitation is mitigated.”

No Standard Protocol: ICS Communications Guide Risk Assessment

Understanding risk within ICS environments takes more than simply determining how many devices are reachable from the Internet. Specifically, the use of different protocols can be important clues in determining where cyberattackers might be probing for weaknesses.

“Some protocols we explored lack security measures, like basic authentication, leaving the devices pretty much open to anyone,” he says.

He adds that other protocols have attributes that can help attackers perform target reconnaissance.

To read the complete article, visit Dark Reading.