Vulnerabilities in industrial control systems exposed

Industrial Control Systems (ICS) are not supposed to be connected to the internet, Kaspersky Lab says, as it opens a sea of opportunity for hackers. Such systems are run by energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and drink, governmental, financial and medical institutions, and should be, for the sake of security, run in a physically isolated environment.

However, Kaspersky Lab says that is not the case, and that it has found 13,698 ICS hosts exposed to the internet, which very likely belong to large organisations.

More than nine in ten (91.1 per cent) host remotely-exploitable vulnerabilities, and 3.3 per cent contain ‘critical and remotely executable vulnerabilities’.

“Our research shows that the larger the ICS infrastructure, the bigger the chance that it will have severe security holes. This is not the fault of a single software or hardware vendor. By its very nature, the ICS environment is a mix of different interconnected components, many of which are connected to the Internet and contain security issues,” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab.

“There is no 100 per cent guarantee that a particular ICS installation won’t have at least one vulnerable component at any single moment in time. However, this doesn’t mean that there is no way to protect a factory, a power plant, or even a block in a smart city from cyber-attacks. Simple awareness of vulnerabilities in the components used inside a particular industrial facility is the basic requirement for security management of the facility. That was one of the goals behind our report: to bring awareness to interested audiences.”

Kaspersky advises ICS hosts to conduct security audits, request external intelligence and provide protection inside, as well as outside the perimeter.

Advanced methods of protection should also be evaluated, it was said.