Industrial control systems (ICS) that run the valves and switches in factories may suffer from inherent weaknesses that cropped up only after they were installed and the networks they were attached to became more widely connected.
The problems are as far ranging as hard-coded passwords that are publicly available to vulnerabilities in Windows operating systems that are no longer supported but are necessary to run the aging gear, says Sean McBride, attack-synthesis lead analyst at FireEye iSIGHT Intelligence and author of “What About the Plant Floor? Six subversive concerns for industrial environments.”
These weaknesses are often found in the ICS devices supporting critical infrastructure such as water systems and power grids, he says.
There’s nothing shocking or new about the weaknesses, but decision makers need to pay attention to them. Awareness has increased over the past few years, but there’s still room for improvement, he says.
“They need to wrap their minds around what it means,” McBride says. They should seek mitigating controls that can bolster the vulnerable gear and ask, “Which of these apply to me and what responses do I have in place?”
The big 6 vulnerabilities
These are six vulnerabilities that are particularly worrisome:
- Use of unauthenticated protocols
- Outdated hardware
- Weak authentication
- Weak file-integritiy checks
- Vulnerable Windows operating systems
- Undocumented third-party relationships
McBride recommends that security pros for these networks inventory all their control devices and check whether they contain any of the major weaknesses. If so, depending on the risk they represent, it may be financially unviable to replace them. But buying more secure devices when it’s time to refresh gear should be part of the purchasing decision, he says.
The most severe of the problems is the use of unauthenticated protocols. “Anyone can plug in and, with the right client, change how a plant operates without authenticating,” he says. That can translate into altering the smarts in programmable logic controllers (PLC) so they, for instance, open or close switches and valves that control flows of fluids or electricity, and turn motors on and off.
Beyond the unauthenticated protocols, some of these industrial control systems, for a variety of reasons, have weak authentication to individual computers and applications. Some have hard-coded passwords, weak passwords, passwords sent in the clear and passwords stored in easily recoverable formats.
As of last September, a publicly available list of hard-coded and default passwords was maintained by researchers, providing information that attackers could use. An element of the Stuxnet attack exploited hard-coded passwords, he says. Exploiting them accounts for a small number of attacks in the real world, but, “The key is they could happen really easily,” McBride says.
Sign up for CIO Asia eNewsletters.