Also publicly available are at least eight exploits that are effective against Windows XP, which is now unsupported, the report says. Use of XP and other unsupported platforms such as Windows Server 2003 in human-machine interface (HMI) computers leaves a weakness that could compromise the machines and the devices they control.
The outdated hardware problem stems from gear that was never intended to be on high-volume, internet-connected networks and now is kept online for years during which the network they connect to is upgraded. The high bandwidth traffic on these networks can cause the gear to malfunction, as happened at the Brown’s Ferry Nuclear Generating Station in 2006. In other cases, innocuous network scans turned out not to be so innocuous and crashed PLCs.
Reliance on third parties for software used in industrial control systems can leave the systems vulnerable to attack, the report says. “In our experience, ICS asset owners seldom document and track third-party dependencies in ICS software they operate,” it says.
Heartbleed, which still has not been eradicated, was a third-party problem that affected ICS devices over the past few years, the report says.
File integrity checks are important to ICS because without them, malicious updates to legitimate applications can turn them into weapons. One example cited in the report says that a software vendor’s website was compromised by replacing a vendor’s file with a malicious one. Without an effective integrity check, that swap would go unnoticed.
Sign up for CIO Asia eNewsletters.