Critical functions such as starting or stopping a system can be accessed online by anyone, be it nation-state attackers or script kiddies. Credit: Getty Images While you likely don’t stop to think about water or energy industries when you grab a drink of water or flip on the lights, you would definitely notice if your electricity or water stopped working. You might not know why they stopped working at first, but since critical infrastructure is connected online, then it’s not outside the realm of possibility that hackers remotely caused the outage. In fact, researchers found human machine interface (HMI) systems in thousands of critical water and energy organizations exposed to the internet and just waiting to be exploited; critical functions such as starting or stopping a system can be accessed by anyone, be it nation-state attackers or script kiddies.Based on the 200 percent increase of SCADA-related vulnerabilities published by Trend Micro’s Zero Day Initiative so far this year, there seems to be an increased interest in exploiting critical infrastructure which has been connected to the internet. So, using OSINT, Shodan for scanning and geostalking to map the physical locations to IPs, Trend Micro forward-looking threat researchers started looking into exposed industrial control systems (ICS) across energy and water industries. According to firm’s new report, Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries (pdf):The HMIs we discovered were accessible via unauthenticated [virtual network computing] VNC servers; a potential attacker can interact with these exposed HMIs using a VNC viewer. Alarmingly, many of these exposed HMIs have critical functionalities like start, stop, reset, alarm, parameter changes, and so on, easily accessible by anyone. If an attacker accesses these exposed HMIs, then they can inflict serious system damage or cause failures.As for the energy sector, all exposed oil and gas HMIs covered in the report, except a drilling rig in the Middle East, were in the U.S. Exposed solar, wind, and hydroelectric plant HMIs were in Germany, Spain, Sweden, the Czech Republic, Italy, France, Austria and South Korea. Exposed biogas HMIs were discovered in Germany, France, Italy, and Greece. A hydroelectric plant in Italy was exposed via its security cameras.Vulnerable water utility HMIs from water treatment plants and industrial water facilities were discovered across the globe. Thanks to being exposed to the public internet, hackers could potentially launch attacks to affect the supply of drinking water. For example, the researchers discovered the main HMI controls for one seawater-to-drinking water treatment plant were exposed online as were the controls for a water heating facility. Other potential attacks by remote hackers included DDoS, exploitation of vulnerabilities and lateral movement from the exposed ICS device to the core business network. Unlike the researchers, baddies aren’t going to stop at just observing exposed and vulnerable systems. Trend Micro blogged about some of the real-world and supply chain implications.Potential attackers include nation-state hackers, organized criminal syndicates, cyber-terrorists, competitors, hacktivists, script kiddies and random hackers. Additionally, on underground forums, Trend Micro found threat actors wanting to purchase information about exposed devices and systems as well as ICS/SCADA credentials. There were also cyber attack requests against competitors and sellers looking to profit on data stolen from industry targets. “Critical infrastructure is a national focal point for cybersecurity – and for cybercriminals, who can pinpoint and exploit the weakest link in these connected systems,” said Mark Nunnikhoven, vice president of cloud research for Trend Micro. “That’s troubling, as Trend Micro Research continues to find critical devices, and the networks that they connect to, needlessly exposed. This exposure, combined with the record number of ICS vulnerabilities reported through the Zero Day Initiative this year, highlights a growing risk that extends into each of our communities.”The new 70-page report includes defense and security strategies to better protect ICSs, supply chains and HMI systems against the risk of attack. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe