Security

Hey, you know what the internet needs? Yup, more industrial control systems for kids to hack

Go on, shove another power plant or factory on the web

By John Leyden

18 SHARE

The number of industrial control systems (ICS) connected to the internet has increased year on year – meaning more and more infrastructure is sitting on the 'net potentially open to attack.

Of the 175,632 internet-accessible ICS equipment detected, approximately 42 per cent were in the US, marking a 10 per cent increase over the previous year (from 50,795 to 64,287). In Germany, which ranks second, researchers found ICS gear behind 13,242 public-accessible IP addresses, up from 12,542 in 2016. The UK ranks sixth.

The figures come from a report put out this week by Positive Technologies, titled ICS Security: 2017 in Review.

The most common software found running on internet-accessible ICS components is the Niagara Framework, which controls machines from air conditioning and power supplies, to telecommunications, alarms, lighting, security cameras, and other important building systems.

Schneider Electric had the highest number of security vulnerabilities (47) publicly disclosed in its products in 2017, with the previous year's leader, Siemens, falling back to second place. Moxa also showed a growing vulnerability count with 36 in 2017 compared to 18 in 2016.

The overall number of exploitable bugs in ICS components is growing year-on-year. The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these flaws were of critical or high risk in nature. A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters, and gateways.

A lot of internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.9 per cent of detected components in 2017, up from five per cent in 2016. Although these gizmos are often regarded as relatively unimportant, they can be quite useful for hackers as stepping stones to more critical equipment.

The growing prevalence of vulnerable ICS kit is a problem because any would-be miscreant can find unprotected industrial control systems simply by searching on Google or Shodan. The release of a new point-and-hack tool, dubbed AutoSploit, that searches for vulnerable devices online using Shodan before using Metasploit's database of exploits to potentially hijack vulnerable devices make an already unpleasant picture even uglier.

Positive Technologies' research is drawn from publicly available sources, such as vulnerability knowledge bases, vendor advisories, exploit databases and packs, research papers, and posts on security websites and blogs.

PT's report [PDF] offers guidelines for improving ICS security. Basic measures that can be taken immediately include separating operational networks from the corporate LAN and external networks (such as the internet), installing security updates as soon as possible, and regularly auditing the security of ICS networks in order to identify potential attack vectors.

“Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the Internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment,” said Vladimir Nazarov, head of ICS Security, at Positive.

“ICS attacks can mean much more than just blackouts or production delays—lives may be at stake. This is why it's so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And, when these mechanisms eventually become outdated, they need to modernise them in a timely manner.”

The study follows the UK government’s announcement earlier in the week that critical industries could be fined up to £17m if they have insufficient cyber security. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Now Meltdown patches are making industrial control systems lurch

Automation and SCADA-flingers admit fix has affected products

Azure VMs borked following Meltdown patch, er, meltdown

No ETA yet for West Europe machines

Creaking Chromebooks getting Meltdown protection soon

Chrome OS 66 to protect older Intel units, still working on ARM

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

Plus: Xen admins – you need to get patching your patches, too

More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns

This is going to take a while

Meltdown-and-Spectre-detector comes to Windows Analytics

After flubbing its early responses, Microsoft's thrown sysadmins a bone

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds

CPU utilization up, throughput down, but a second fix may have restored normal service

OpenBSD releases Meltdown patch

And now to see it's an unwelcome imposition or a mere inconvenience

Intel gives Broadwells and Haswells their Meltdown medicine

Chipzilla and Oracle are working their way back through time to deliver fixes