The risk to industrial control systems: CyberX looks at the data
Think of CyberX's 2020 Global IoT/ICS Risk Report as a kind of parent-teacher conference for industrial cybersecurity. The pupils show some promise, but they could use some help with their homework. The median security score CyberX awards across all industrial sectors is a 69, which our local schools would rate an F. A high F, but a failing grade nonetheless.
On the last day of SecurityWeek's 2019 ICS Cyber Security Conference CyberX's Phil Neray presented the results of his company's study of the network traffic they observed in the course of monitoring ICS and IoT networks. CyberX collected the traffic through passive, agentless monitoring. Their analysis used the companies deep packet inspection and network traffic analysis technology to analyze that traffic. The company emphasized that their analysis dealt with "anonymized and aggregated metadata, with all customer-identifying information removed."
Neray began his presentation with an image of an apparently rogue device found attached to a customer's network. This is the sort of lurid caper that attracts headlines, and it certainly happens, but he offered the example in contrast with the far more prosaic threats and vulnerabilities that in fact afflict the industrial space. These risk trends he summed up under six headings:
- "Broken Windows." The problem here is the widespread use of outdated and even beyond-end-of-life operating systems. The greater part of these are Windows systems. 62% of the sites CyberX observed used old and no-longer-supported Microsoft software (including Windows XP and Windows 2000). This will probably get worse before it gets better: when Windows 7 reaches the end of its support this coming January, that fraction can be expected to rise to 71%. Unsupported operating systems increase the vulnerability of enterprises to ransomware and destructive attacks.
- "Hiding in Plain Sight: Unencrypted Passwords." The researchers found unencrypted passwords crossing 64% of the networks they observed.
- "Excessive Access: Remotely Accessible Devices." Enabling remote access is attractive for any number of reasons involving convenience, cost, flexibility and even resilience, but 54% percent of the sites observed were connected to devices with standard protocols (RDP, SSH, VNC) implemented in a fashion that could permit attackers to pivot into critical assets.
- "Clear and Present Danger: Indicators of Threats." Indicators of threats were found on 22% of the sites. These included not only dangerous signatures for such threats as LockerGoga and EternalBlue, but suspicious behavior like scanning traffic, excessive connections, malicious DNS queries, and abnormal HTTP headers.
- "Not Minding the Gap: Direct Internet Connections." Far too many of the sites analyzed--some 27% of them--were directly connected to the Internet.
- "Stale Signatures: No Automatic Antivirus Updates." Antivirus is not a panacea, but it's a valuable part of any defense-in-depth. Yet 66% of the sites checked weren't automatically updating Windows systems with current antivirus definitions. "The lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks."
What about the grades, sector by sector? CyberX gives a numerical score. They recommend an 80 as a passing grade, but across the sectors, the grades aren't encouraging. Oil and Gas comes out the best, with a 74. Energy and Utilities is second best, at 70. Manufacturing (63), Pharmaceuticals and Chemicals (62), and Other (62) are the laggards.