Tomer Basin, Yuval Sade, Yaelle Harel
It’s a well known fact that OT networks are exposed and vulnerable. Yet even our researchers were overwhelmed by the extent of the risk they encountered during a recent research.
The research set out to analyze the state of industrial control systems (ICS) with interfaces open to public access via the Internet, without regard for industry or geographical area. The only criterion for the scan was that the protocol used by the identified open interface would be one typically in use in OT environments. Our findings should serve as a wake-up call for any company with OT devices.
Industrial Control Systems run nearly every digitized industrial operation on the planet. From manufacturing to critical infrastructure, ICS comprises the devices, systems, networks, and controls used to operate and/or automate industrial processes. This means that the risk of an ICS being accessed or manipulated by unauthorized users, can seriously impact both business continuity and human safety.
The scan found a total of 108,635 unique open IPs, apparently belonging to 10,114 organizations. All exposed devices were using common ICS protocols.
North American organizations had the most exposed IP’s (31%), followed by Europe (30%) and Asia (19%).
The exposed IP’s were of organizations from all industries and sectors, including a multitude of manufacturing, energy, water utilities, transportation, and shipping companies.
The research was able to confirm that the vast majority of these IPs belong to ICS devices (66,781, or ~61%, belonging to 7,230 organizations). OTORIO researchers were also able to map cloud devices (nearly 14% of exposed IPs), which means that while the transformation to cloud infrastructure is gaining momentum, it does not come without risk. IoT devices made up only .04% of the exposed IPs. This may be surprising at first glance, however, the research did not include a deep analysis of the devices (for ethical reasons) which may have resulted in more IoTs mapped. All told, about 25% of the exposed IPs were of uncategorized devices.
With more than 18,000 exposed devices, the US has by far the largest number of exposed devices, followed by other industrialized countries including Canada, Italy, France , Spain and Germany. In other words, many of the world’s leading industrialized markets are at risk.
The geographic and country distribution is depicted in the diagrams below. It’s important to note that 14% of IP’s could not be “assigned” a geography without deeper research, which for ethical reasons OTORIO researchers refrained from doing.
The threat to industrial resilience posed by exposures like those mentioned above, are no longer underestimated by government and regulators. In fact, a long list of standards and regulations now apply directly to OT networks, with more emerging every month. From NIST-CSF, NERC-CIP, and IEC 62443 in North America to the NIS Directive1 in the EU – standards are tighter and more detailed, and penalties for noncompliance are dramatically more serious.
In the US, following the notorious Colonial Pipeline attack in May of this year, a series of cybersecurity directives for critical pipeline owners and operators were released by the Department of Homeland Security. And just last month (October 2021), the US Cybersecurity and Infrastructure Agency warned of imminent cyber threats to the US Water and Wastewater Systems (WWS) sector2 and of threats to critical infrastructure3 entities from attacks using BlackMatter ransomware.
In the US legislature, at least 18 new cybersecurity bills4 have been introduced in 2021 with the aim of strengthening oversight over the nation’s connected critical infrastructure.
Exposed ICSs like those found in our research pose a serious risk. They can be easily exploited by hackers to directly affect physical assets like machinery, power generators, or water treatment equipment. Unlike attacks directed against IT-centric organizations, that can result in data theft or computer system malfunction, attacks against ICS have a high risk of directly endangering human life, not to mention production capacity, the brand and the overall business..
The reason this is all happening? Industry and critical OT infrastructure evolved from air-gapped standalone environments into a hyper-connected ecosystem. This trend has not escaped the notice of cybercriminals, who are constantly scaling up their attacks against vulnerable industrial systems – attacks that have proven to be highly-lucrative.
By using stolen credentials and by exploiting vulnerabilities, attackers can use the exposed devices to breach into the operational network and cause severe damage including:
The fact that a random scan revealed nearly 70,000 exposed ICS devices is a red flag for the industry as a whole. In any industry, organizations with ICS devices should perform a domain scan of Internet-connected devices immediately using a search engine like Shodan5. The rule is simple: your ICS devices should never be accessible from the Internet. Furthermore, they shouldn’t be accessible from unprotected network segments or hosts.
OTORIO can help your business by performing an ICS vulnerability assessment and a risk assessment in your operational network, making sure that all vulnerabilities are addressed, especially for devices connected to the Internet. The scan delivers full visibility of your operational network and provides contextual data to help you understand the impact of any risk to your unique production environment.
Taking advantage of OTORIO’s solutions you can implement a zero-trust approach - minimizing network exposure for all ICS devices and ensuring that they’re not accessible via the Internet or by any unauthorized users.
Lastly, OTORIO’s secure remote connectivity solution helps you to secure your supply chain. Many risks come from third-party vendors. OTORIO helps you make sure you understand the device's settings and the associated risks for each connected vendor.
For more information don’t hesitate to contact our experts.
* * *
The research was conducted as a passive search using a publicly available search engine. The search was limited only to devices using a protocol commonly used in OT networks, for example - devices that have the MODBUS port open on them.
The result of this passive search provided information about the device type, the geographical location of the IP address and the industry. When a piece of identifying data was missing (i.e. type, location, or industry), we did not pursue further checks and marked the exposed IP as “other”.
Penalties, Best Practices for Compliance, and More
2. Cybersecurity & Infrastructure Security Agency -
Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities
3. Cybersecurity & Infrastructure Security Agency - Alert (AA21-291A) - BlackMatter Ransomware
4. CSOonline - 18 new cybersecurity bills introduced as US congressional interest heats up
* * *
OTORIO designs and markets the next generation of OT security and digital risk management solutions. The company combines the experience of top nation-state cybersecurity experts with cutting edge digital risk management technologies to provide the highest level of protection for the critical infrastructure and manufacturing industry. Visit our website: www.otorio.com