Number of ICS devices connected to internet increases, raising security concerns

The number of industrial control system (ICS) devices connected to the internet has increased according to a report, and it raises some concerns about secondary and ancillary devices connected to the ICS that could be compromised.

03/22/2018


A report from Positive Technologies found the amount of industrial control systems (ICS) accessible over the internet increased over the previous year. Using the Shodan, Censys and Google search engines, Positive Technologies researchers identified 175,632 ICS-like components accessible from the Web. Of all the systems identified in 2017, 66,587 were accessible via HTTP, followed by the Fox building automation protocol at 39,168.

The highest percentage of exposed devices, at 42%, was in the United States, according to the report. The number of internet-accessible ICS components in the U.S. increased to 64,287, followed by Germany with 13,242, France with 7,759, Canada with 7,371, Italy with 5,858, and China with 4,285.

Closer look

Eric Byres, security expert and chief executive at aDolus Inc, said, "What this tells me is not that the core security of the industrial ICS world is getting worse, but rather connected edge devices in related industries like building automation, water management or access management are flooding onto the market. The security of these 'secondary' deployments are not being well thought out. So, the bad guys can't suddenly see and hack more industrial distributed control systems (DCS), but they have lots of poorly designed IoT targets to choose from instead.

"This is the Achilles heel of the Internet of Things (IoT) and Industrial Internet of Things (IIoT) world - we are making everything from power drills and video cameras to coffee makers 'web connected' without considering the security implications. Sure, it is wonderful that I can remotely connect to my offices security cameras over the web, but who else have I just let do the same thing?" Byres asked.

The report appeared to be an indicator of an increase in IoT or IIoT connectivity which could increase the amount of devices connected to the internet.

"I do believe that the widespread adaptation of IoT devices will make a difference, I am just concerned that someone might misclassify an IoT device for an IIoT deviceā€”as in the case of a Lantronix serial-to-Ethernet converter," said Joel Langill, director of ICS Cyber Security services at AECOM. "If you do not know what the device is connected to, how can you classify it as ICS or not? This is like saying that all Windows devices are non-ICS classified. We know that is not a true statement, so why not use the same logic for embedded devices."

Visible on net

Whether the devices were ICS or some other industry the fact is they were out there on the internet and visible.

"I have no way to refute or affirm these findings, nor do I have reason to doubt them," said Eric C. Cosman, contributing consultant with ARC Advisory Group. "I suppose that some of the change may be the result of 'looking harder' with better search strings and criteria. Just as with Google, you probably find more information if you know exactly what to look for. That said, I wouldn't be surprised if more systems are being connected. This could be a result of any number of things, including:

  • Increased pressure to grant remote access for support purposes, perhaps combined with assurances from the service provider that they have adequate security in place. After all, visibility does not necessarily equate to access. The latter can only be confirmed by penetration testing.
  • Lack of critical assessment and review of newly installed devices or systems. Some people may have this connectivity without even realizing it."

Langill feels security on internet-connected devices is suspect. "This is not to say that a lot of ICS devices are being connected to the internet that should not be," he said. "The basic definition of 'security' varies widely from vendor to vendor, and someone might offer a 'secure remote access' solution and only offer basic password authentication security or maybe a TLS/SSL connection. I am beginning to see more and more packaged solutions on the internet with minimal security enabled. I would like to see more people incorporate basic cyber security requirements into their purchasing documents. The 'Cyber Security Procedure Language for ICS' by DHS/ICS-CERT is a wonderful starting point."

Connectivity growing

Image courtesy: Ilya Pavlov/UnsplashWhile the numbers are higher this year, there is no doubt the rate will increase in years to come because connectivity is just going to increase because the benefits far outweigh the negatives.

"Enterprise-wide digitalization and Industrie 4.0 initiatives necessarily require connectivity to the internet for tight integration between sensors and smart computers," said Eddie Habibi, chief executive and founder of PAS, Global. "Meanwhile, cyber attackers are becoming more sophisticated and the frequency of attacks are on the rise. (This all) poses a serious risk to industrial safety and profitability that must be addressed as the wave of digital manufacturing transformation evolves. But cybersecurity is a risk we should manage and not fear. We must not abandon progress in the face of cyber threats. I don't believe the threat of cybersecurity is going to stand in the way of digitalization and smart manufacturing. It is just another hurdle to overcome. Just like any other risk, we must understand it, take decisive measures to protect against it, and make security awareness a part of our culture as we have done so effectively with safety."

Not falling for the hype and understanding data and putting it in the proper perspective should be the way to go for manufacturing automation professionals.

"Lessons learned from safety incidents in the late 1980s and the subsequent industry best practices and regulations like OSHA 1910.119 can serve as successful models for addressing the cybersecurity challenge," Habibi said. "With that said, what makes cybersecurity a greater challenge than safety is that with safety you do not have outside actors maliciously attacking your operations."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me