Critical infrastructure at risk

16 December 2020

Researchers have identified over 43,000 unprotected SCADA devices in operation across the globe.

Research from A&O IT Group points to the fact that the number of IoT/SCADA devices connected to the public internet without appropriate security measures in place is increasing, leaving these critical devices open to potential attack and hacking attempts. 

Despite a number of high-profile attacks on SCADA systems, the majority of devices and protocols are not being robustly protected, however some – particularly Modbus and S7 – are being taken more seriously from a security perspective.   
“Since our last investigation in January 2020, the number of unprotected SCADA devices has increased, highlighting a gap between the connectivity of these devices and security,” said Hodei Lopez, security consultant at A&O IT Group. The increase seems to be linear across all protocols, and one theory is that this could be a consequence of making systems available to a remote workforce due to the COVID-19 pandemic. 

Researchers scanned for unprotected devices on Shodan,  focussing on six groups of SCADA devices, the total of which came to 43,546 unprotected devices – Tridium (15,706); BACnet (12,648); Ethernet IP (7,237); Modbus (5,958); S7 (1,480); DNP (517).  “We have seen a rise in the number of IoT/SCADA devices connected to the internet, but there is a real mixture when it comes to their security. Some users of protocols such as Modbus and S7 are demonstrating improvements in their security posture, but others are not seeming to consider security at all,” continued Lopez.
Through their research, the A&O IT Group team discovered that the United States comes out top in terms of the biggest attack surface with a total of 25,523 unprotected devices and has the highest amount of unprotected Modbus (1,445), Tridium (10,483), DNP (294), BACnet (8,146) and Ethernet IP (4,843) devices. The only devices out of the six investigated where the US doesn’t have the most are the S7 devices, but they are a close second with 312 vs. Germany’s 321. Furthermore, many of the S7 devices in the US are Conpot honeypots, indicating a higher level of alertness. This backs up the joint advisory from CISA and the NSA released in July of this year, which suggested that more sophisticated IoT attacks and malware are expected by the US.  
Others high up the list of the top ten countries with unprotected devices include Canada as well as a number of European countries such as Spain, Germany, France and the United Kingdom. 
“Critical infrastructure runs on legacy networks which previously were air gapped by being kept separate from the IT network. Now due to an increasing demand for connectivity and the ability to work remotely, these legacy networks, which are often 25+ years old, are becoming connected. As a result, this infrastructure that essentially runs the world, has been opened up to a number of vulnerabilities and other security issues, leaving them open to cyber attack.  
“Due to these previously stand-alone legacy networks now being connected to IT networks, cyber security for critical infrastructure is vital but somewhat lagging, and the first mistake security teams make is assuming that they can implement operational technology (OT) security by cloning their existing IT security strategy, but this is simply not the case,” said  Lopez.  “However, there is a lot organisations in industries such as manufacturing, production and energy can do to protect themselves, starting with visibility. In order to secure their entire infrastructure, it’s vital that organisations have a clear view of all of their assets connected to the network. Without this, vulnerabilities will be missed and provide an attacker with a clear path into the network.” 

What else can organisations do to protect themselves? Firstly, as mentioned, visibility is key for security teams to know what assets are on their network and to avoid falling victim through unknown vulnerable devices. The importance of mapping the network and having a constantly updated and live list of active and dormant assets should not be underestimated.  
Secondly, the importance of having a proper, secure infrastructure cannot be overstated. OT devices should be isolated from the company’s general IT network, usually behind a second firewall. The idea is that the networks are “separate but together”, not just one big network. Continuous security monitoring of the network and environment is also critical.  

Finally, a continuous improvement in the networks is necessary. Firmware patches should be applied to firewalls and switches as soon as possible after testing, perimeter devices (such as firewalls or machines exposed to the internet) being a priority. Strong internal controls should be applied to restrict traffic that might not be trusted, and networks should always follow the rule of least privilege, not only for devices, but for users as well.

Print this page | E-mail this page