A new report from Boston-based CyberX has uncovered an alarming number of Internet of Things (IoT) and industrial control system (ICS) security vulnerabilities in real-world networks. Unlike other studies of ICS security, which typically rely on survey responses, this study analyzed real-world traffic on 1,800 production IoT/ICS networks. The overall takeaway from the report is that many ICS networks – such as those at oil & gas companies or at pharmaceutical companies – are “soft targets” for potential adversaries looking to take advantage of ICS security vulnerabilities.
A broad range of ICS security vulnerabilities
Now in its third year, the CyberX report highlighted the primary security gaps and security risks that it found by analyzing ICS network traffic. For example, in 62% of cases, CyberX found outdated operating systems that were not being updated, not being patched, or not being supported anymore. This refers primarily to networks running outdated versions of Windows – something that security experts sometimes refer to as the “broken Windows” problem.
But that was really just the tip of the iceberg in terms of ICS security vulnerabilities found in operational technology (OT) networks. For example, 64% of ICS networks used unencrypted passwords – a situation that can be easily exploited by hackers in any brute force attack. Another ICS security issue was the fact that 54% of ICS devices were remotely accessible, making them potential security issues. In 22% of ICS networks analyzed, there was evidence of “clear and present dangers,” such as malicious network traffic or attempts to access unauthorized ICS devices. And, finally, in 66% of cases, there were no automatic antivirus updates. Given the scope and scale of many IoT/ICS environments, it’s easy to see how manual updating could easily overlook some devices connected to the main network.
As Phil Neray, VP of Industrial Cybersecurity for CyberX, points out, ICS operating environments come with a unique set of risks that needs to be taken into account: “Operational Technology (OT) and Industrial Control System (ICS) environments — such as energy utilities, oil and gas, manufacturing, pharmaceuticals and chemicals, and transportation — are quite different than IT environments in many ways, typically lacking modern security controls such as network segmentation, encryption, and continuous network security monitoring. In addition, the continuing deployment of unmanaged Industrial Internet of Things (IIoT) and “smart” connected devices brings many benefits — including increased productivity, efficiency, and safety — but also increases the attack surface, and hence the risk, further increasing the need for compensating controls such as continuous monitoring.”
ICS security differs by industry and sector
Interestingly, the CyberX report on ICS security differentiated between ICS networks across a wide range of different industries. The goal was clear: to see if certain sectors – such as energy – might be at greater risk of cyber attacks from malignant third-party threat actors. They ranked sectors on a scale of 0 to 100. 80 was the minimum passing mark for an ICS network, according to the CyberX security framework. Unfortunately, the average score for every sector studied failed to meet even this most basic threshold. For example, the oil & gas sector scored 74 out of 100, followed by electric utilities (70), manufacturing plants (63) and pharmaceutical and chemical companies (62). These are just average scores for entire industries, so some individual companies obviously surpassed the 80-point threshold, even if the sector performed poorly.
This difference in scores, says CyberX, can be accounted for by differing levels of regulatory oversight in these sectors. Take utilities, for example. Everyone knows that utilities are very tightly regulated, and that helps to explain why electric utilities tended to score higher than other sectors, says CyberX.
That finding, of course, introduces the idea that adding greater regulatory oversight over the IoT/ICS sector might lead to enhanced ICS security. One key player in coming up with proper regulatory guidelines might be the National Institute of Standards and Technology (NIST), which has been encouraging tech vendors to come up with IoT solutions that can mitigate ICS security risk.
Steps for improving ICS security
The good news, says CyberX, is that there are at least seven actionable steps that companies can take to improve their overall ICS security profile. By far the most important step, says CyberX, is undertaking a review of an organization’s ICS assets in order to come up with a list of the “crown jewel assets.” These assets are the ones that should be prioritized in terms of coming up with new IoT/ICS defenses. Secondly, organizations should commit to a program of continuous ICS network monitoring. Given the 24/7-risk potential of global hackers trying to take down an ICS network, organizations should also be monitoring ICS security risks around the clock. And, finally, says CyberX, organizations should commit to a program of behavioral anomaly detection (BAD). This would help organizations spot and then respond to anomalies.
But will organizations really listen to these recommendations? After all, if you compare the 2019 CyberX findings with the 2020 CyberX findings, a very discouraging picture emerges: if anything, the ICS security situation has gotten worse, not better. For example, in 2019, 57% of ICS networks had weak anti-virus protections. In 2020, by way of comparison, 66% of ICS networks still were not updating automatically for antivirus protection. In 2019, 69% of ICS networks were using unencrypted (i.e. plaintext) passwords; by 2020, that figure had “improved” to 6%.
ICS security adversaries
In coming up with its ICS security report findings, CyberX outlined both the types of adversaries posing the greatest risk to ICS networks, as well as the ultimate cost to an organization if ICS networks are somehow compromised. In a base-case scenario, an organization could face costly downtime. In a worst-case scenario, an organization might face “catastrophic safety and environment incidents,” or theft of valuable corporate intellectual property.
In terms of key cyber threats and security issues, CyberX suggests that adversaries can be divided into three main categories: nation-states, cybercriminals, and hacktivists. Potentially the most dangerous of these adversaries from the perspective of ICS security are nation-states, which might have a military or strategic reason to attack another nation’s critical infrastructure and grid companies. Without basic safety defenses in place – such as continuous ICS network monitoring – an electric utility might be at very high risk of cyber attack.
Better ICS security must involve top management
The big lesson here from the CyberX report on ICS security is that organizations must be doing more to harden their ICS security defenses. In large part, this means that top senior executives and board members need to be doing more. There is a very clear role here for senior corporate leadership to take industrial cyber security more seriously, and to elevate it to a board-level strategic issue.