Cybersecurity breaches, infiltrations and takeovers of network-controlled systems, services and devices are occurring with greater frequency, and now, automation and industrial control systems (ICS) are being targeted. These systems are often part of the critical infrastructure, and may include power grids, traffic light systems, physical security, water and utilities that provide necessary functions for everyday life.
Bitsight, a global risk management firm that specializes in breach prevention and mitigation, reported in October 2023 on research revealing that nearly 100,000 ICS owned by global organizations, including Fortune 1000 companies, are exposed to potential attacks through the access and control [DO1] physical infrastructure. ICS is a subset of operational technology and includes automation, programmable logic controllers, distributed control systems and other configurations used by industrial sectors and utilities for system management.
According to Bitsight, “Critical infrastructure sectors heavily rely on ICS to control cyber-physical systems, compounding concerns that the exposed systems identified in our research could present significant risks to organizations and communities around the world.”
Attacks mount in sophistication
Most recently, in September 2023, a Chinese-linked hack group with connections to APT 41, named RedFly by Symantec, breached the network of a national power grid in an Asian country and continued the attack for several months as it infiltrated the IT network of the country’s electric utility. The Colonial Pipeline hack in 2021 is another notable breach that threatened ICS security. While the hackers did not attack through the ICS, they uncovered a virtual private network password through a data breach. Once they gained access to the password, hackers downloaded 100 gigabytes of data from the company’s internal network and held it for ransom.
The exposed or internet-facing ICS discovered by Bitsight were on the public web and included systems across 96 countries. The top five sectors with exposed organizations noted in the research were education, technology, government/politics, business services and manufacturing.
The risk is real, according to Dark Reading, as malware is built specifically to subvert power grids and many lack security protocols and measures for protection. In addition, attackers are known to perform reconnaissance on these targets by gathering data and exposing critical vulnerabilities inherent in some systems and software that may be older or have not been updated.
ICS include a wide swath of devices: sensors that report field data to controllers; actuators, switches and other equipment that controls the movement of machinery; building management systems that automate elevators and escalators; fire, safety and security systems; and automated gauges used in commercial fuel tanks.
Bitsight studied systems communicating through the most used ICS protocols: Modbus, KNX, BACnet, Niagara Fox and others. “The number of exposed—or internet-facing—industrial control systems remains high as of June 2023, but our research revealed a promising trend. From 2019 to June 2023, we observed a decline in the number of ICS exposure to the public internet. This is a positive development, suggesting that organizations may be properly configuring, switching to other technologies or removing previously exposed ICS from the public internet.”
Bitsight researchers believe initiatives like CISA’s “Securing Industrial Control Systems: A Unified Initiative” and general discussions within the security community around the topic of ICS cybersecurity may have had a positive effect and contributed to lower exposure and the downward trend