Thousands of critical energy and water systems exposed online for anyone to exploit

While you likely don’t stop to think about water or energy industries when you grab a drink of water or flip on the lights, you would definitely notice if your electricity or water stopped working. You might not know why they stopped working at first, but since critical infrastructure is connected online, then it’s not outside the realm of possibility that hackers remotely caused the outage. In fact, researchers found human machine interface (HMI) systems in thousands of critical water and energy organizations exposed to the internet and just waiting to be exploited; critical functions such as starting or stopping a system can be accessed by anyone, be it nation-state attackers or script kiddies.

Based on the 200 percent increase of SCADA-related vulnerabilities published by Trend Micro’s Zero Day Initiative so far this year, there seems to be an increased interest in exploiting critical infrastructure which has been connected to the internet. So, using OSINT, Shodan for scanning and geostalking to map the physical locations to IPs, Trend Micro forward-looking threat researchers started looking into exposed industrial control systems (ICS) across energy and water industries. According to firm’s new report, Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries (pdf):

The HMIs we discovered were accessible via unauthenticated [virtual network computing] VNC servers; a potential attacker can interact with these exposed HMIs using a VNC viewer. Alarmingly, many of these exposed HMIs have critical functionalities like start, stop, reset, alarm, parameter changes, and so on, easily accessible by anyone. If an attacker accesses these exposed HMIs, then they can inflict serious system damage or cause failures.

As for the energy sector, all exposed oil and gas HMIs covered in the report, except a drilling rig in the Middle East, were in the U.S. Exposed solar, wind, and hydroelectric plant HMIs were in Germany, Spain, Sweden, the Czech Republic, Italy, France, Austria and South Korea. Exposed biogas HMIs were discovered in Germany, France, Italy, and Greece. A hydroelectric plant in Italy was exposed via its security cameras.

Vulnerable water utility HMIs from water treatment plants and industrial water facilities were discovered across the globe. Thanks to being exposed to the public internet, hackers could potentially launch attacks to affect the supply of drinking water. For example, the researchers discovered the main HMI controls for one seawater-to-drinking water treatment plant were exposed online as were the controls for a water heating facility.

Other potential attacks by remote hackers included DDoS, exploitation of vulnerabilities and lateral movement from the exposed ICS device to the core business network. Unlike the researchers, baddies aren’t going to stop at just observing exposed and vulnerable systems. Trend Micro blogged about some of the real-world and supply chain implications.

Potential attackers include nation-state hackers, organized criminal syndicates, cyber-terrorists, competitors, hacktivists, script kiddies and random hackers. Additionally, on underground forums, Trend Micro found threat actors wanting to purchase information about exposed devices and systems as well as ICS/SCADA credentials. There were also cyber attack requests against competitors and sellers looking to profit on data stolen from industry targets.

“Critical infrastructure is a national focal point for cybersecurity – and for cybercriminals, who can pinpoint and exploit the weakest link in these connected systems,” said Mark Nunnikhoven, vice president of cloud research for Trend Micro. “That’s troubling, as Trend Micro Research continues to find critical devices, and the networks that they connect to, needlessly exposed. This exposure, combined with the record number of ICS vulnerabilities reported through the Zero Day Initiative this year, highlights a growing risk that extends into each of our communities.”

The new 70-page report includes defense and security strategies to better protect ICSs, supply chains and HMI systems against the risk of attack.