Researchers find that lax ICS security is putting critical services at risk of exploitation.
The "abysmal" state of security for industrial control systems (ICSs) is putting critical services at serious risk, new research finds.
You only need to look at the chaos caused by a ransomware attack launched against Colonial Pipeline this year -- leading to panic buying and fuel shortages across part of the US -- to see what real-world disruption cyber incidents can trigger, and their consequences can go far beyond the damage one company has to repair.
It was only last month that the Port of Houston fended off a cyberattack and there is no reason to believe cyberattacks on operational technology (OT) won't continue -- or, perhaps, become more common.
On Friday, CloudSEK published a new report exploring ICSs and their security posture in light of recent cyberattacks against industrial, utility, and manufacturing targets. The research focuses on ICSs available through the internet.
Some of the most common issues allowing initial access cited in the report include weak or default credentials, outdated or unpatched software vulnerable to bug exploitation, credential leaks caused by third parties, shadow IT, and the leak of source code.
After conducting web scans for vulnerable ICSs, the team says that "hundreds" of vulnerable endpoints were found.
CloudSEK highlighted four cases that the company says represents the current issues surrounding industrial and critical service cybersecurity today:
An Indian water supply management company: Software accessible with default manufacturer credentials allowed the team to access the water supply management platform. Attackers could have tampered with water supply calibration, stop water treatments, and manipulate the chemical composition of water supplies.
The Indian government: Sets of mail server credentials belonging to the Indian government were found on GitHub.
A gas transport company: This critical service provider's web server, responsible for managing and monitoring gas transport trucks, was vulnerable to an SQL injection attack and administrator credentials were available in plaintext.
Central view: The team also found hardcoded credentials belonging to the Indian government on a web server supporting monitors for CCTV footage across different services and states in the country.
The US Cybersecurity and Infrastructure Security Agency (CISA) was informed of CloudSEK's findings, as well as associated international agencies.