Around the world, critical national infrastructure (CNI) such as transport, energy and essential manufacturing is run on legacy networks. Unlike the fast-moving realm of modern IT environments, the operational technology (OT) underpinning these systems was built to last, with a lifespan usually measured in decades. As a consequence, many of the systems being relied on for CNI have been in use for more than 25 years.
While normal IT systems must continually evolve and develop to stave off the threat of cyber-attacks, OT systems have been able to remain relatively static by using air gapping as their primary defense. With no connection to the wider internet, there was previously no way for a threat actor to interfere without physically accessing the machinery.
This has all changed in recent years however as more CNI is brought into the digital age and interconnected with standard IT systems. For all industries, the efficiency and agility of digital connectivity suddenly changed from a competitive advantage to a necessity over the last year due to the need for remote working.
However, this rapid digitalization has left many of the core systems underpinning CNI vulnerable to cyber-attack. Without the protection provided by air gapping, the control systems such as supervisory control and data acquisition (SCADA) that run these essential machines are an easy target for threat actors. Indeed, our recent investigation found that there are thousands of unprotected devices around the word, and the number has grown sharply.
What are the threats to CNI?
The reason these control systems are so vulnerable to cyber-attack is that they are almost entirely incompatible with standard IT security solutions. This means it is impossible to effectively perform basic activity such as scanning for signs of intrusion or compromise. However, security teams often make the mistake of assuming they can simply clone their existing IT security strategy and apply it to their OT systems.
As highlighted in a joint advisory from CISA and the NSA last year, there is an elevated risk from sophisticated attacks exploiting this weakness to target critical infrastructure. The advisory recommended that all organizations managing OT systems take immediate action to reduce their exposure to cyber threats. Some of the most prominent threats included connecting to internet accessible programmable logic controllers (PLCs) with no authentication requirements, the use of spear phishing to obtain initial access to the IT network before pivoting to the OT network, and the use of malware to encrypt data on both IT and OT systems.
Which systems are vulnerable?
To understand the scale of the cyber threat facing CNI, A&O IT Group used the search engine Shodan to search for connected devices, focusing on six groups of devices using SCADA, one of the most prominent control systems for CNI.
Since our investigations commenced in January 2020, we saw a marked increase in the number of devices across all six groups, likely as a result of remote working practices implemented in the wake of Covid. Worryingly, there was also a sharp increase in the number of vulnerable systems – in total 43,546 unprotected devices were discovered. The bulk of these were using protocols produced by Tridium (15,706) and BACnet (12,648). The rest consisted of protocols from Ethernet IP (7,237); Modbus (5,958); S7 (1,480) and DNP (517).
Modbus and S7 are both mature technologies that have demonstrated continuous improvement to their security posture – perhaps as the result of many years in the public eye. However, other SCADA protocols appear to have made no concessions to cyber security at all.
How the SCADA attack surface varies around the world
Our investigations also found some marked differences in SCADA vulnerabilities around the world. The United States had by far the biggest attack surface, with a total of 25,523 unprotected devices – more than half of all those we detected. The US was also home to the highest concentration of each of the different unprotected SCADA systems we searched for with the exception of S7, which were more prevalent in Germany.
However, it should also be noted that a large number of the S7 devices in the US are actually Conpot honeypots, designed to lure in threat actors and help security analysts understand their tactics. This indicates a high level of security alertness, in keeping with the joint advisory from CISA and the NSA.
Outside of the US, Canada was found to be home to the largest number of unprotected devices. Several European countries, including Spain, Germany, France, and the UK all had had sizeable attack surfaces as well.
Visibility and control are essential to securing CNI
The presence of tens of thousands of unprotected SCADA systems around the world represents a serious threat against the critical national infrastructure at the heart of keeping a country functioning. However, the good news is that, while the incompatible nature of OT and IT presents a challenge to security, it is not insurmountable and there are several actions that key industries such as energy and manufacturing can take.
First and foremost, organizations must ensure that they have visibility of the assets on their network. As it only takes a single vulnerable device to provide an attack path into the environment, it is imperative that security teams can discover all devices and assess their security level. Thoroughly mapping the entire network will ensure that there are no unknown devices introducing critical vulnerabilities. Further, the team should maintain a constantly updated list of all active and dormant assets to keep track of possible vulnerabilities as infrastructure develops and grows.
Alongside this, organizations must ensure they have implemented proper safeguards to secure their infrastructure. While the pure air-gapping of previous years is no longer viable in a digital, remote-orientated world, OT devices should be isolated from the general IT network. This can best be achieved with a second firewall, establishing two networks that are “separate but together”. This strategy must be backed up with continuous security monitoring across all networks and environments. Where standard security solutions cannot interface with OT systems, organizations must invest in specialized toolsets to ensure there are no blind spots.
Finally, it is imperative to carry out continuous improvements to networks. Security is never a “one and done” exercise, even with the relatively slow-moving world of operational technology. Any relevant firmware patches must be applied to all switches and firewalls as soon as they have been tested, with the priority being perimeter devices such as firewalls and machines that must still be exposed to the internet. In addition, strong internal controls should be applied and constantly maintained to restrict untrusted traffic. A rule of least privilege should be maintained for all users and devices to minimize the damage that can be done by an intruder hijacking credentials via phishing.
Once organizations have established full visibility and control of their OT systems, they will be much better equipped to identify and shut down cyber threats attempting to exploit the blind spots between the two networks. As threat actors continue to launch more sophisticated targeted attacks, those thousands of SCADA systems we detected must be protected as soon as possible before a major incident occurs.
- Best antivirus software of 2021
Richard Hughes, Head of Technical Cyber Security, A&O IT Group