Despite the fact that so many aspects of a modern society rely on the proper and uninterrupted operations of critical infrastructure, security flaws across many industrial control systems (ICSs) are largely vulnerable to cyber-attacks.
An attack on industrial organizations’ networks could result in major disruptions, yet a new research report from Positive Technologies found that configuration flaws can allow an attacker to gain control over servers with relative ease.
The research findings are a result of penetration tests and security audits performed on behalf of industrial companies. According to the report, 73% of tested corporate information systems have insufficient perimeter protection against external attacks.
Pen testers gained access to networks and leveraged that foothold to access the broader industrial network containing ICS equipment in 82% of the networks tested.
“Of the attack vectors that enabled penetration of the industrial network from the corporate information system, 67 percent were either low or trivial in difficulty. “
At every industrial company where network penetration was successful, segmentation or traffic-filtering flaws were present. “Implementing these attack vectors would require merely taking advantage of existing configuration flaws in devices and network segmentation, as well as OS vulnerabilities for which exploits are available online,” the report said.
In 64% of cases, these flaws were introduced by administrators and involved remote desktop access.
“Since web applications are not viewed as an integral part of the corporate information system at industrial companies, their security is often neglected.” According to the research, “43 percent of web applications on the perimeter of industrial corporate information systems are characterized by a poor security level.”
Known vulnerabilities in obsolete software created security gaps across all companies. Additionally, every tested company was found to use dictionary passwords, causing the information system perimeter vulnerabilities at industrial companies to be at a high-severity level.
Bob Noel, director of strategic relationships and marketing for Plixer, said, “There are so many attack vectors for cybercriminals today that every organization, especially critical infrastructure, must assume they will be breached.”
To augment security strategies, network traffic analysis should be implemented to look for credential misuse, lateral movement and anomalies in protocols and applications. As was demonstrated by the pen testers, “once cybercriminals gain a foothold, they are able to probe the systems looking for a gateway between the corporate network and the one supporting industrial systems,” Noel said.