Security flaws, failure to patch, and the use of insecure protocols are contributing to a growing number of weaknesses in systems used to automate critical infrastructure processes, according to a new study by Kaspersky Lab.
With its new specialised security product for industrial control systems, Kaspersky Lab researchers have probed the internet for companies that may need its protection.
Using the Shodan search engine, the researchers found 220,668 industrial control system (ICS) components on the web, located on 188,019 hosts in 170 countries across North America, Europe and the Asia Pacific.
That they were discoverable isn’t necessarily a problem, however the researchers also found there were 13,033 vulnerabilities on 11,882 of the hosts. Nearly all the vulnerable devices were Sunny WebBox units made by German manufacturer SMA Solar Technology. The device was found to have a hard-coded password flaw last year. ICS-CERT at the time advised users to ensure the device was not accessible from the Internet, isolated from business networks, and if remote access was required to use a VPN.
Kaspersky contends that isolation as a method for protecting ICS devices is increasingly difficult due to the attractiveness of increased automation made possible by networking them. At the same time, a handful of malware attacks on critical infrastructure providers has shown that hackers are probing the internet for bugs to exploit, such as the BlackEnergy malware that was thought to have caused blackouts in Ukraine last year. Kaspersky notes that exploits are available for 26 of the ICS flaws reported in 2015.
While the most common flaws in products themselves were buffer overflows, hard-coded credentials, and cross-site scripting, the most common problem the researchers found was the use of insecure network protocols. Of the ICS components Kaspersky found, 91.6 percent were using inherently insecure protocols, such as unencrypted HTTP connections.
Just as in conventional computer security, the firm notes that securing ICS devices requires effort on the part of owners and manufacturers. Kaspersky’s analysis found that manufacturers had provided fixes for 85 percent of known bugs, while five percent remained un-patched. The remainder of unfixed issues covered obsolete products and partially fixed bugs.