chungking - Fotolia

Six key security weaknesses in industrial systems

Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye

Cyber attackers could exploit six common weaknesses in industrial systems typically used in electric utilities, petrol companies and manufacturing plans, a report warns.

Manufacturing organisations invest heavily in industrial control systems (ICS) to operate industry processes efficiently, reliably and safely, but board members, executives and security officers are often unaware that the technology at the core of business operations invites undetected subversion, according to the FireEye report.

FireEye iSIGHT Intelligence counted just 149 ICS vulnerability disclosures that were made between January 2000 and December 2010. By mid 2016, FireEye had counted 1,552.

With the number of devices on the network continuing to rise exponentially, what is already an upward trend in the number of ICS vulnerabilities could become a disaster waiting to happen, warns FireEye.

The report describes six key weaknesses that an adversary can use to undermine an industrial plant’s operation, which are outlined below.

1. Unauthenticated protocols

When an ICS protocol lacks authentication, any computer on the network can send commands that alter the physical process. This may lead to incorrect process operation, which damages goods, destroys plant equipment, harms personnel, or degrades the environment.

FireEye recommends that organisations:

  • Identify all unauthenticated protocols in use on process control networks to provide understanding of vulnerability level.
  • Assess whether current equipment can support authentication options.
  • Implement authentication options where feasible, such as DNP3 Secure Authentication.
  • Assess whether the controlled process can withstand latency introduced by bump-in-the-wire authentication systems.
  • Implement bump-in-the-wire authentication systems or VPNs.
  • Incorporate deep packet ICS firewalls that block unauthorised commands from certain IP addresses.
  • Configure restrictive access control lists and firewall rules.
  • Request authentication features from suppliers.

2. Outdated hardware

ICS hardware can be operational for decades. This hardware may operate too simplistically or lack the processing power and memory to handle the threat environment presented by modern network technology.

FireEye recommends that organisations consider upgrades for older devices that have network connectivity and support critical process control functions; and implement firewall rules to minimise network connectivity of devices with outdated hardware.

3. Weak user authentication

User authentication weaknesses in legacy control systems often include hard-coded passwords, easily cracked passwords, passwords stored in easily recoverable formats, and passwords sent in clear text. An attacker who obtains these passwords can often interact with the controlled process at will, the report said.

Read more about ICS security

FireEye recommends that organisations match internal ICS device inventory against list of devices known to have hard-coded passwords, and monitor device logs and network traffic for attempts to exploit password weaknesses

4. Weak file integrity checks

Lack of software signing that confirms the software author and guarantee that the code has not been altered or corrupted allows attackers to mislead users into installing software that did not originate from the vendor. It also allows attackers to replace legitimate files with malicious ones.

FireEye recommends that organisations:

  • Configure the operating system to only run signed code.
  • Test software and updates in a simulated environment prior to production deployment.
  • Obtain software/firmware directly from the supplier and not third parties.
  • Work closely with supplier support to obtain file hashes and check hashes manually.
  • Configure programmable logic controller (PLC) access protection if available.

5. Vulnerable Windows operating systems

Industrial systems often run unpatched Microsoft Windows operating systems, leaving them exposed to known vulnerabilities.

FireEye recommends that organisations maintain an inventory of operating systems used in an industrial environment that are unpatched or no longer supported. Plan to upgrade or apply patches at maintenance down times in accordance with ICS supplier guidance.

It also recommends companies deploy compensating controls for vulnerabilities affecting these systems, especially when the vulnerabilities are known to have been exploited in the wild.

6. Undocumented third-party relationships

Many ICS suppliers may not immediately know the third-party components they use, making it difficult for them to inform their customers of the vulnerabilities. Adversaries who understand these dependencies can target software the industrial firm may not even know it has.

FireEye recommends that organisations:

  • Request or require that ICS suppliers provide a list of third-party software and versions used in their products, including open-source software.
  • Examine ICS products to identify third-party software before operational deployment.
  • Review vulnerability repositories, such as the national vulnerability database, to identify vulnerabilities affecting the third-party software.
  • Obtain a structured vulnerability feed to receive notifications of vulnerability disclosures affecting those third-party products.
  • Request or require that the supplier provide notification of vulnerabilities affecting third-party software.
  • Request or require that suppliers validate patches for the third-party software to ensure interoperability.

“Industrial plants have quickly become much more reliant on connected systems and sensors for their operations, yet the cyber security of most plants is not nearly as strong as it needs to be,” said Sean McBride, attack synthesis lead analyst at FireEye and author of the report.

“A clear understanding of the common weaknesses in plant environments helps corporate boards, executives and security officers engage in knowledgeable conversation about security, ask discerning questions, and make sound investments,” he said.

Read more on Hackers and cybercrime prevention