The latest ICS-CERT Monitor leads with an article voicing an increase in concern over industrial control systems (ICS) that continue to be exposed by way of the Internet because of the use of remote accessibility tools which manifest an “increased risk of cyber attacks including scanning, probes, brute force attempts and unauthorized access to your control environment.”
“Internet facing devices have become a serious concern over the past few years with remote access demands giving way to insecure or vulnerable configurations. Tools, such as SHODAN, Google and other search engines, enable researchers and adversaries to easily discover and identify a variety of ICS devices that were not intended to be Internet facing,” the publication states.
The agency says that the accumulation of knowledge obtained from continuous scanning and cataloging of internet-facing ICS systems and devices susceptible to bugs like Heartbleed and the availability of ICS-specific search terms used to identify vulnerable systems has drastically lowered the level of expertise require to identify at-risk networks.
“The availability of this information, coupled with the aforementioned tools, lowers the level of knowledge required to successfully locate Internet facing control systems,” ICS-CERT said.
In May of this year, the agency confirmed several recent attacks against ICS targets including an unnamed public utility that was breached by a sophisticated threat actor who gained unauthorized access to its network because control system assets were accessible through Internet facing hosts.
The systems were configured with remote access capabilities protected only by a simple password mechanism, an authentication method that was susceptible to typical brute force attack techniques.
“As tools and adversary capabilities advance, we expect that exposed systems will be more effectively discovered, and targeted by adversaries. Clearly, it has become more important for asset owners and operators to audit their network configurations and properly install their ICS devices behind patched VPNs or firewalls,” the agency stated.
ICS-CERT recommends ICS administrators adhere to the following:
- Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the business network
- When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices
- Remove, disable or rename any default system accounts wherever possible
- Implement account lockout policies to reduce the risk from brute forcing attempts
- Establish and implement policies requiring the use of strong passwords
- Monitor the creation of administrator level accounts by third-party vendors
- Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities
“ICS-CERT strongly encourages taking immediate defensive action to secure ICSs by using defense-in-depth principles. Audit your networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Understand the usage of tools, such as SHODAN and Google, and leverage those platforms to enhance awareness of the Internet accessible devices that might exist within your infrastructure.”
Read More Here (PDF)…