The state of ICS and IIoT security in 2019

Industrial control systems continue to be soft targets due to poor cyber hygiene. New study identifies what's wrong and best practices for fixing it.

Industrial control systems (ICS) are designed to operate and support critical infrastructure. They are used heavily in industrial areas such as energy and utilities, oil and gas, pharmaceutical and chemical production, food and beverage, and manufacturing. Attacks on such systems can cause major damage. The 2015 hack of Ukraine’s power grid caused a blackout that affected over 200,000 people.

Whether ransomware, botnets, cryptominers, or something more destructive, malware targeting such systems continues to proliferate. According to Kaspersky Labs, over 40 percent of ICS computers it monitors were attacked by malicious software at least once during the first half of 2018.

According to a new report from CyberX, industrial organizations are doing themselves no favors and making themselves easy targets. The report, 2019 Global ICS & IIoT Risk Report, analyzed real-world network traffic data from more than 850 production ICS networks worldwide to get a view into existing vulnerabilities in ICS environments.

“The data clearly shows that industrial control systems continue to be soft targets for adversaries,” said the report. “Many sites are exposed to the public internet and trivial to traverse using simple vulnerabilities like plain-text passwords. Lack of even basic protections like automatically updated anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces.”

1 industrial iot smart device power plant electrical utility
Getty Images

40 percent of industrial sites have at least one direct connection to the public internet

Air gaps for critical systems remain an effective way to reduce the chance of attack. No connection to the web means threat actors have to be on-site to conduct operations. However, many companies are failing to ensure they are air-gapped. Over a third of industrial sites have at least one route to the internet. Search tools such as Shodan make it easier to find any devices not properly secured, giving attackers easy entry into industrial networks, and one is enough for attackers to get in.

Sixteen percent of sites have at least one wireless access point, and 84 percent have at least one remotely accessible device, both of which offer an extra point of access for attackers.

2 industrial iot utility nuclear plant power plant
Getty Images

53 percent of sites have obsolete Windows systems

Industrial sites often have embedded systems that can be hard enough to patch, let alone change the operating system on. However, outdated and unsupported versions of Windows mean no patches for new vulnerabilities, which can leave significant gaps in your security posture. Over half the industrial sites monitored by CyberX were running outdated and unsupported editions of the Windows operating system. 

Windows Vista hit end-of-life support in 2017, XP back in 2014. Windows 8 came to end of life in 2016 (8.1 still has a while to go), and Windows 7 is due to end in 2020. While companies can arrange extended support with Microsoft, this can be costly and is only a stop-gap solution. 

3 industrial iot solar power panels energy network internet
Getty Images

69 percent of sites have plaintext passwords in their ICS networks

Plaintext passwords have been a bad idea since time immemorial. They give anyone exploring your network easy access to whatever they’re targeting, no matter what other defenses you put in place. Sadly, this hasn’t stopped industrial organizations committing the most basic and cardinal of sins; CyberX found plaintext passwords present in 69 percent of ICS networks.

“These are typically associated with legacy devices that don’t support modern, secure protocols such as SNMP v3 or SFTP,” according to the report.

4 industrial iot robotics automation manufacturing code
Getty Images

57 percent of sites aren’t running antivirus protections that update signatures automatically

In the first half of 2018, Kaspersky discovered 19,000 different malware variations from 2,800 different malware families. Given the continuous stream of new malware strains, having automatically signatures should be a given in an organization’s antivirus protection. However, more than half of industrial ICS networks don’t have automatically updating antivirus systems, increasing the window of opportunity of attack for threat actors.

5 industrial iot standing still oil drilling pump
Getty Images

ICS security standing still

That such industrial systems are insecure is one thing, but what is more concerning is the lack of progress to remedy the issue. According to the report, the industry “has not changed much over the course of the past year.“ The only metric to show meaningful change since the previous iteration of this study was a reduction in sites using legacy Windows systems, which had fallen from 76 percent of sites in 2017 to 53 percent in 2018.

“There's still a lot of work to be done,” said the report. “It bears remembering that we are attempting to close a ~25-year gap between operational technology (OT) and IT security practices.”

6 industrial iot oil rig oil drilling cranes
Getty Images

Old OT protocols make visibility a challenge

Industrial systems are often long in the tooth. Being difficult and expensive to replace, they often sit untouched for years. CyberX found the commonly used protocol in its study sample was Modbus, a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979.

However, this creates additional monitoring challenge as traditional monitoring tools designed for corporate IT networks are blind to OT-specific protocols like Modbus TCP, meaning organizations have little to no visibility into OT network activity. A survey by Kaspersky found nearly half of industrial companies say they would have no way to detect any attacks on their ICS devices.

7 best practices industrial iot goggles viision insight network security
Getty Images

6 best practices for better ICS security

  1. Identify critical processes: Identify which processes would threaten the company most if they failed and focus on securing those first.
  2. Map your network: To defend properly you need to know what you’re defending. Gather information about all the ICS assets (model, type, OS, firmware revision, etc.), how they’re connected, how information moves around the network, and how any parties both internal and external connect to those assets.
  3. Identify likely attack routes: Pen tests and threat modelling can help discern likely how attackers might try and penetrate your network and compromise your devices. This information can be used to put mitigations and close monitoring in place.
  4. Practice good cyber hygiene: Reduce the number of connectors to the internet, practice two-factor authentication, use no plaintext passwords, patch regularly, and don’t allow unauthorized external devices on the ICS network.
  5. Create a manageable OS upgrade schedule: Updating industrial systems can be hard but is important and closes a wide avenue of attack. Plan accordingly and roll out updates in a way that is manageable for the IT team. Segregate and monitor closely any system that cannot be updated or replaced.
  6. Remove silos between OT and IT: Integrate OT personnel into your security operations center (SOC) and have IT security teams work in the OT organization to exchange knowledge and give each other a better understanding of the unique requirements for securing such systems.