Over 600 weaknesses have been found in US industrial control systems (ICS) in critical infrastructure (CI) environments such as water, energy and gas supply, according to a new report from the US ICS-CERT.
The report covered 112 assessments carried out by ICS-CERT in 2015 on facilities across the US (see map below) as part of the organisation's remit to “prevent, protect against, mitigate and respond to cyber and communications disruptions to CI”.
The assessments comprised 46 Design Architecture Reviews and 28 Network Architecture Verification and Validation checks carried out directly with CI operators and owners.
A further 38 were Cyber Security Evaluation Tool tests that can include self- assessments by CI operators. Data from these tests is not retained by ICS-CERT.
The inspections revealed a worryingly high 638 weaknesses, the most common of which was ‘boundary protection’, which ICS-CERT said could have serious consequences.
“Boundary protection effectively slows attack processes and facilitates detection, analysis and notification of unauthorised activity to support operational and incident response,” said the report.
“[Without] strong protection, attackers can more easily penetrate the network boundary around critical assets, access valuable information and manipulate systems controlled by ICS.”
Another major problem was ‘least functionality’, which covers the principle of reducing risk by giving employees only the systems access they require. ICS-CERT said that it found numerous problems concerning this threat.
“Specific issues include insufficient use of whitelisting; employing insecure, outdated or otherwise vulnerable operating system services; and leaving communications ports accessible when not required for system operations,” the report said.
“Shutting down all non-essential ports, services and applications reduces the attack surface of the ICS and improves the ability to monitor and provide analysis of essential communications traffic.”
Cloud and BYOD risks
The ICS report also identified new IT trends that pose a risk to CI, including inadequate security controls for virtual machines and remote access tools, and the rise of bring-your-own-device policies.
"Use of BYODs to access personal email, web pages and social media applications is inherently high risk to ICS. This risk must be considered by the organisation, and appropriate measures, such as mobile device management systems, should be put into place to mitigate the risk to acceptable levels,” said the report.
An increase in the use of cloud services by CI owners and operators was also noted as being of concern.
“Organisations must ensure that the parts of any ICS architecture hosted externally have a level of security consistent with the criticality of the functions of the ICS operation,” the report said.
"Organisations must also consider ICS operational information integrity, security and confidentiality, as well as the functional and operational details associated with recovery, event/incident management, failover, forensic support, monitoring and other operational sequences that require special support by the cloud-hosting service provider.”
The assessments covered several sectors, as the diagram below shows, giving some insight into just how far-reaching the problems have become.
A report in 2015 warned that a cyber attack on the US power grid and related infrastructure could cost the country as much as $1tn in economic damage.
ICS-CERT explained that CI organisations must do everything in their power to put strong security in place across their operations, given its importance to the nation.
“The protection of the nation’s CI is essential for ensuring public confidence and safeguarding safety, prosperity and well-being,” the report concluded.
“Much of our CI depends on automated control systems to manage industrial processes efficiently and securely, so it is essential that organisations conduct security assessments so that they can understand how best to secure this architecture against cyber threats.”
David Emm, principal security researcher at security company Kaspersky Lab, told V3 that the findings of the report are worrying.
"No-one wants to have an assessment come back with flaws in it, just as when you go to the dentist you don't want to hear you need a filing," he said.
However, Emm noted that the rise in attackers looking at ICS environments will invariably mean that the number and types of flaws that can be exploited will increase.
"Since 2009 we've seen more systems being prodded and poked by attackers, so the numbers will start to go up," he said.
Nevertheless, with cyber attackers from Russia and China regularly believed to have accessed the core systems of major US businesses, the fact that so many flaws exist in ICS environments certainly poses concerns that attackers could infiltrate, or have already infiltrated, systems of vital national importance.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff