Number of ICS devices connected to internet increases, raising security concerns
A report from Positive Technologies found the amount of industrial control systems (ICS) accessible over the internet increased over the previous year. Using the Shodan, Censys and Google search engines, Positive Technologies researchers identified 175,632 ICS-like components accessible from the Web. Of all the systems identified in 2017, 66,587 were accessible via HTTP, followed by the Fox building automation protocol at 39,168.
The highest percentage of exposed devices, at 42%, was in the United States, according to the report. The number of internet-accessible ICS components in the U.S. increased to 64,287, followed by Germany with 13,242, France with 7,759, Canada with 7,371, Italy with 5,858, and China with 4,285.
Eric Byres, security expert and chief executive at aDolus Inc, said, "What this tells me is not that the core security of the industrial ICS world is getting worse, but rather connected edge devices in related industries like building automation, water management or access management are flooding onto the market. The security of these ‘secondary’ deployments are not being well thought out. So, the bad guys can’t suddenly see and hack more industrial distributed control systems (DCS), but they have lots of poorly designed IoT targets to choose from instead.
"This is the Achilles heel of the Internet of Things (IoT) and Industrial Internet of Things (IIoT) world – we are making everything from power drills and video cameras to coffee makers ‘web connected’ without considering the security implications. Sure, it is wonderful that I can remotely connect to my offices security cameras over the web, but who else have I just let do the same thing?" Byres asked.
The report appeared to be an indicator of an increase in IoT or IIoT connectivity which could increase the amount of devices connected to the internet.
"I do believe that the widespread adaptation of IoT devices will make a difference, I am just concerned that someone might misclassify an IoT device for an IIoT device—as in the case of a Lantronix serial-to-Ethernet converter," said Joel Langill, director of ICS Cyber Security services at AECOM. "If you do not know what the device is connected to, how can you classify it as ICS or not? This is like saying that all Windows devices are non-ICS classified. We know that is not a true statement, so why not use the same logic for embedded devices."
Visible on net
Whether the devices were ICS or some other industry the fact is they were out there on the internet and visible.
"I have no way to refute or affirm these findings, nor do I have reason to doubt them," said Eric C. Cosman, contributing consultant with ARC Advisory Group. "I suppose that some of the change may be the result of ‘looking harder’ with better search strings and criteria. Just as with Google, you probably find more information if you know exactly what to look for. That said, I wouldn’t be surprised if more systems are being connected. This could be a result of any number of things, including:
- Increased pressure to grant remote access for support purposes, perhaps combined with assurances from the service provider that they have adequate security in place. After all, visibility does not necessarily equate to access. The latter can only be confirmed by penetration testing.
- Lack of critical assessment and review of newly installed devices or systems. Some people may have this connectivity without even realizing it."
Langill feels security on internet-connected devices is suspect. "This is not to say that a lot of ICS devices are being connected to the internet that should not be," he said. "The basic definition of ‘security’ varies widely from vendor to vendor, and someone might offer a ‘secure remote access’ solution and only offer basic password authentication security or maybe a TLS/SSL connection. I am beginning to see more and more packaged solutions on the internet with minimal security enabled. I would like to see more people incorporate basic cyber security requirements into their purchasing documents. The ‘Cyber Security Procedure Language for ICS’ by DHS/ICS-CERT is a wonderful starting point."
While the numbers are higher this year, there is no doubt the rate will increase in years to come because connectivity is just going to increase because the benefits far outweigh the negatives.
"Enterprise-wide digitalization and Industrie 4.0 initiatives necessarily require connectivity to the internet for tight integration between sensors and smart computers," said Eddie Habibi, chief executive and founder of PAS, Global. "Meanwhile, cyber attackers are becoming more sophisticated and the frequency of attacks are on the rise. (This all) poses a serious risk to industrial safety and profitability that must be addressed as the wave of digital manufacturing transformation evolves. But cybersecurity is a risk we should manage and not fear. We must not abandon progress in the face of cyber threats. I don’t believe the threat of cybersecurity is going to stand in the way of digitalization and smart manufacturing. It is just another hurdle to overcome. Just like any other risk, we must understand it, take decisive measures to protect against it, and make security awareness a part of our culture as we have done so effectively with safety."
Not falling for the hype and understanding data and putting it in the proper perspective should be the way to go for manufacturing automation professionals.
"Lessons learned from safety incidents in the late 1980s and the subsequent industry best practices and regulations like OSHA 1910.119 can serve as successful models for addressing the cybersecurity challenge," Habibi said. "With that said, what makes cybersecurity a greater challenge than safety is that with safety you do not have outside actors maliciously attacking your operations."
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
See related stories from ISSSource linked below.