Infrastructure Systems Lack Firewalls, Authentication, Basic Security
The Department of Homeland Security and the Federal Bureau of Investigation have reissued their warning from last year that industrial control systems that operate critical infrastructure and complicated machinery are still not properly protected.
Thousands of industrial control systems that are connected to the Internet lack proper firewalls or aren't using strong authentication methods, making them vulnerable to attack, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security said in its warning Dec. 9.
Malicious perpetrators can discover these industrial control systems using search engines such as Shodan, which indexes devices with embedded and active Web servers, according to the warning.
Control systems don't need to be connected to the Internet, but they are often online to make it easier for administrators to remotely monitor the systems. "All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords," said ICS-CERT in its warning, adding that adversaries can use the information to identify control systems that are vulnerable to attack.
There's a trade-off between making it easy to do work and increasing security, Joe Schorr, enterprise security practice manager for Creative Breakthroughs, told eWEEK. Organizations have to decide whether the systems and data being protected are worth locking down business, Schorr said.
"ICS-CERT is tracking and has responded to multiple reports of researchers using Shodan, Every Routable IP Project (ERIPP), Google and other search engines to discover Internet-facing control systems," according to the alert.
The increasing "connectedness" of infrastructure not only makes utility companies more vulnerable to cyber-attacks, but increases the effect on other infrastructure capabilities when one is affected, Chris Petersen, CTO of LogRhythm, told eWEEK.
The supervisory control and data-acquisition systems used within industrial companies were not designed to be secure, and much of the existing infrastructure was developed and deployed prior to the Internet, according to Petersen. Security was considered in the physical sense, so many of the devices transmit data in clear text, have limited or nonexistent logging capabilities and employ very basic authentication methods, Petersen said.
"Nobody imagined SCADA supervisory control and data acquisition devices and their associated serial protocols would later be converted to IP and made accessible to untrusted networks," said Petersen.
ICS-CERT said that it's working with control system vendors to remove default credentials from their products, especially since so many of these credentials are mentioned in publicly accessible materials.