Industrial Control Systems (ICS) are supposed to run in physically isolated environment to reduce the possibility of being attacked. ICS are usually run by energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and drink, governmental, financial and medical institutions.
However, security company Kaspersky Lab recently discovered 13,698 ICS hosts that are exposed to the Internet, which are likely to belong to large organisations. The company's ICS Threat Landscape report also revealed that most (91.1 percent) of them hosts vulnerabilities that can be remotely exploited, while 3.3 percent of them contain critical and remotely executable vulnerabilities.
"Our research shows that the larger the ICS infrastructure, the bigger the chance that it will have severe security holes. This is not the fault of a single software or hardware vendor. By its very nature, the ICS environment is a mix of different interconnected components, many of which are connected to the Internet and contain security issues," said Andrey Suvorov, Head of Critical Infrastructure Protection at Kaspersky Lab, in a press release.
Overall, Kaspersky found 188,109 hosts with ICS components in the internet across 170 countries. Most of them are located in US and Europe.
The security company said the majority of externally available ICS devices (91.6 percent) use weak internet protocols which open an opportunity for attacker to conduct 'man in the middle' attacks.
In addition, Kaspersky revealed that 92 percent of remotely available ICS hosts have high vulnerabilities, while 87 percent and seven percent contain medium risk and critical vulnerabilities, respectively.
"There is no 100 percent guarantee that a particular ICS installation won't have at least one vulnerable component at any single moment in time. However, this doesn't mean that there is no way to protect a factory, a power plant or even a block in a smart city from cyber-attacks. Simple awareness of vulnerabilities in the components used inside a particular industrial facility is the basic requirement for security management of the facility. That was one of the goals behind our report, to bring awareness to interested audiences," explained Suvorov.
Besides that, Kaspersky advised organisation to conduct a security audit and invite experts to identify the remove the security loopholes in its ICS environment. Requesting external intelligence from vendors may also help organisations predict possible attacks in its industrial infrastructure.
Kaspersky added organisations must evaluate advanced methods of protection, regularly check the integrity of its controllers, and implement a specialised network monitoring to increase the overall security of the company as well as reduce the chances of a breach.
Sign up for CIO Asia eNewsletters.