Six key vulnerabilities have been identified within industrial control systems that adversaries can use to undermine critical infrastructure operations.
Industrial enterprises don't exist without investing in the technology of industrial control systems (ICS) to efficiently, reliably and safely operate industrial processes.
Board members, executives and security officers are often unaware that the technology operating the economic engine of their business invites undetected subversion.
The six key weaknesses, reported by FireEye, are:
Unauthenticated protocols: When an ICS protocol lacks authentication, any network computer can send commands that alter the physical process, which can lead to incorrect process operation.
Outdated hardware: ICS hardware, which can operate for decades, may operate too simplistically or lack the processing power and memory to handle the threat-environment that modern network technology presents.
Weak user authentication: User authentication weaknesses in legacy control systems often include hard-coded passwords, easily cracked passwords, passwords stored in easily recoverable formats, and passwords sent in clear text. An attacker who obtains these passwords can often interact with the controlled process at will.
Weak file integrity checks: Lack of signing allows cyber-criminals to mislead users into installing software that didn't come from the vendor. It also allows attackers to replace legitimate files with malicious ones.
Vulnerable Windows operating systems: Industrial systems often run unpatched Microsoft Windows operating systems, leaving them exposed to known vulnerabilities.
Undocumented third-party relationships: Many ICS vendors may not know the third-party components they use right away, making it hard for them to inform customers of the vulnerabilities. Adversaries can target software the industrial firm may not know it has.
FireEye recommends organisations take steps to mitigate each of these issues, available here.
“Industrial plants have quickly become much more reliant on connected systems and sensors for their operations, yet the cyber-security of most plants is not nearly as strong as it needs to be. A clear understanding of the common weaknesses in plant environments helps corporate boards, executives and security officers engage in knowledgeable conversation about security, ask discerning questions, and make sound investments,” said Sean McBride, attack synthesis lead analyst at FireEye.