Assessing Risks of Internet-Connected ICS in Critical Sectors

As more industries adopt internet connectivity and leverage remote access, the risk of devices being discoverable online increases. Advancements in internet scanning technology, including the proliferation of open-source tools, make it even easier to uncover internet-exposed devices. Overall, this is an advantage for security and IT teams that need to monitor their attack surfaces; however, it can also aid malicious actors.

Recently, security researchers discovered 145,000 industrial control systems (ICS) exposed to the internet, potentially making them prime targets for cyberattacks. To date, no attack has occurred as a result of this discovery, but it highlights the need for increased cybersecurity measures to protect ICS systems against evolving cybersecurity risks.

What happened: How were 145,000 ICS Systems Discovered and Exposed to the Internet

ICS plays a pivotal role in daily life, from power grids to water treatment facilities. Previously, Operational Technology (OT), which includes ICS, was historically “offline,” relying on standalone machinery and isolated control systems. The rapid digitization of the economy has resulted in OT and ICS integrating more Internet of Things (IoT) devices into their processes. Now, connected machinery enables unparalleled levels of innovation with advanced automation, data analytics, and Internet of Things (IoT)-driven systems, enabling faster decision-making and optimized production processes. As a result, it’s not entirely unsurprising that 145,00 ICS across 175 countries were found exposed to the public internet— but it is concerning.  

Among the exposed systems, 38% were located in North America, 35% in Europe and 22% in Asia. In the United States alone, there are 48,000 exposed systems. Devices were accessible on common ICS protocols, including Modbus, Fox, BACnet, WDBRPC (Wind River), EIP, S7 (Siemens), and IEC 60870-5-104, although attack surfaces varied by region.

What is perhaps most surprising is the number of exposed ICS instances that are human-machine interfaces (HMIs). These interfaces allow human operators to monitor, control, and interact with industrial processes and machinery, serving as a bridge between operators and the underlying control systems, such as PLCs, SCADA, or DCS. Unfortunately, HMIs are usually prime targets for cyberattacks.

Why it Matters: Critical Infrastructure Remains a Target for Cyberattacks

According to the research, 34% of HMIs accessible via the C-More protocol are associated with water systems, and 23% are used in agriculture. Critical infrastructure organizations, such as energy and water providers, can be especially vulnerable to cyber threats, as they provide essential services and have little tolerance for operational downtime.

Already, there have been notable examples of cyberattacks against water providers. In 2023, threat actors breached the Municipal Water Authority of Aliquippa, Pennsylvania, by exploiting a vulnerability in the internet-exposed Unitronics programmable logic controllers (PLCs) used for monitoring and regulating water pressure. To mitigate the risk of future attacks, the Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to secure these devices by changing default passwords, applying updates, and disconnecting them from the internet.

The HMIs used to monitor and interact with ICS systems are increasingly being made internet accessible to support remote access, which further necessitates that ICS and OT networks take steps to identify and secure devices as internet-exposed ICS can have serious consequences:

• Unauthorized access can disrupt operations, impacting essential services.
• For water systems, unauthorized access could allow malicious actors to compromise water quality.
• Building automation systems (BAS) face risks like temperature control failures, affecting safety.

In short, modern ICS and OT systems provide threat actors with a broad attack surface, and system owners and operators must take steps to secure their digital footprint and strengthen their security posture.

Securing ICS Against Cyber Threats

The National Institute of Standards & Technology (NIST) Guide to Operational Technology (OT) acknowledges that increased wireless networking puts OT implementations (including ICS) at “greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment.”

While NIST recommends taking precautions when introducing security solutions to OT environments, there are meaningful risk reduction steps organizations can take. To defend against persistent cyber threats, ICS system owners and operators should:

• Device visibility and monitoring: Step one of any security program is always an inventory of all network-accessible devices. This foundational step provides insight into which OT/IoT devices or systems are discoverable and identifies software or hardware vulnerabilities.
• Change default credentials and harden HMI systems: Many HMI systems still use default credentials, which can easily be brute-forced by threat actors. In addition to updating default credentials, enforce strict access control management to prevent unauthorized remote access to critical ICS.
• Targeted network segmentation: Once a threat actor gains access to a network, they typically try to move laterally and gain access to other systems or sensitive information. Segmented networks to prevent the spread of malicious activities and enforce strict access controls.
• Use real-time monitoring and anomaly detection: Continuous visibility and monitoring of ICS allows organizations to quickly identify and respond to unusual activities, minimizing the risk of potential attacks and operational disruptions.
• Enforce robust physical security: Despite living in a digital-first world, physical access to critical infrastructure should still be tightly controlled and limited to only those who need direct access to the ICS.

How Asimily Helps Secure ICS

ICS no longer exists in offline, protected environments. Over time, these systems will likely continue to evolve to more closely resemble modern to resemble traditional IT environments, which inevitably means more internet-connected devices. However, increased connectivity doesn’t have to spell cyber disaster—not with the right partner.

Asimily is a trusted partner for industrial solutions. Our comprehensive platform is designed to meet the unique needs of both ICS and OT security, such as continuous flow processes and uncommon device protocols. With Asimily, you get targeted protection and continuous monitoring of your entire environment. Asimily’s inventory and vulnerability detection capabilities are built to monitor traffic to and from ICS and proactively identify issues.

In the event of a security incident, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, teams can keep a handle on their ICS attack surface and ensure they are as safe as possible, providing a sense of reassurance.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.