A recent analysis conducted by cyber-risk firm Bitsight has revealed that there are approximately 100,000 industrial control systems (ICS) exposed to the public Internet worldwide. These ICS are responsible for controlling critical operational technologies such as power grids, water systems, and building management systems. While the number itself is concerning, researchers emphasize the need to consider the protocols used by these systems in order to accurately assess the cyber-risk they pose.
By inventorying reachable devices that utilize the top 10 most popular and widely used ICS protocols, including Modbus, KNX, BACnet, and Niagara Fox, Bitsight arrived at the figure of 100,000 exposed ICS systems. This extensive footprint of exposed ICS presents an alluring target for cyber attackers and poses a global risk to physical safety in at least 96 countries. Recent incidents such as malware designed to compromise power grids and the Colonial Pipeline hack demonstrate the real-world consequences of these vulnerabilities.
The implications of these exposed ICS systems are far-reaching, as they control a significant portion of our society’s physical infrastructure, ranging from traffic lights to vaccine production. Disruption of these systems could lead to severe business disruptions, threats to human safety, compromise of data and intellectual property, national security risks, and more.
Pedro Umbelino, principal security researcher at Bitsight, emphasizes that there is typically no valid reason for this type of equipment to be directly accessible via the Internet. This suggests that the risk level associated with exposed ICS systems could be mitigated through proper security measures.
“The systems we identified as Internet-facing could be due to misconfigurations, or neglect of best practices,” Umbelino explains. “Typically, attackers scan for Internet-facing systems and then gather information to determine if that system has a vulnerability. So if systems are behind a firewall or otherwise not Internet facing, then much of the risk of exploitation is mitigated.”
In order to truly understand the risk within ICS environments, it is crucial to consider more than just the number of devices reachable from the Internet. The protocols used by these systems can provide valuable insights into potential weaknesses that cyber attackers may exploit. Some protocols lack basic security measures such as authentication, leaving devices vulnerable to anyone. Additionally, certain protocols provide attackers with valuable information for target reconnaissance, making their task of finding exploits much simpler. The adoption of different protocols signifies the presence of different devices, vendors, supply chains, and software in an organization’s exposed surface.
Furthermore, organizations should take into account the geotargeting potential enabled by tailored attacks based on protocols. Bitsight highlights that exposed industrial control systems using specific protocols are concentrated in different regions. For example, systems using CODESYS, KNX, Moxa Nport, and S7 are primarily found in the European Union (EU), while systems using ATG and BACnet are more prevalent in the US. Modbus and Niagara Fox, on the other hand, are globally present. This information allows ICS-owning organizations to prioritize their security strategies and identify areas of high risk.
While the findings of the analysis serve as a wake-up call for critical infrastructure stakeholders, it is worth noting that the level of ICS exposure has actually decreased over time. This decrease occurred despite the transition to “smart” operational technology (OT) environments and increased digitization. In 2019, the number of exposed ICS devices within the parameters of the study was nearly 140,000. Initiatives like CISA’s “Securing Industrial Control Systems: A Unified Initiative” and ongoing discussions within the security community may have contributed to this decline. Additionally, the advent of Industry 4.0 has introduced new technologies and more mature security programs, making ICS environments more secure.
To improve ICS security and reduce exposure, owners of ICS environments should consider implementing the following measures recommended by Bitsight:
1. Identify all ICS deployed within the organization and assess their security promptly.
2. Remove any ICS systems from the public Internet.
3. Implement safeguards such as firewalls to protect against unauthorized access.
4. Recognize the unique control needs of OT, including ICS, and tailor security measures accordingly, rather than relying solely on traditional IT risk models.
5. Reduce exposure by using firewalls, configuring access controls, and employing mechanisms like virtual private networks to limit the reachability of ICS devices.
In summary, the extensive number of exposed ICS systems poses a significant cyber-risk to critical infrastructure worldwide. However, proper security measures and the consideration of protocols can help mitigate these risks. It is crucial for organizations to prioritize ICS security and take appropriate steps to protect these systems from cyber threats.