Skip to main content

Security Risks of Networked Industrial Control System (ICS)

Release Date: 24 Dec 2015 2151 Views

 

HKCERT conducted a study using the Shodan Internet services search engine and found that 106 industrial control system (ICS) devices in Hong Kong could be discovered on the Internet. Why are these ICS devices exposed to the Internet? What are the social and economic impacts if they are been attacked? In this article we try to discuss.

 

In June 2015, SANS released the latest survey on the ICS “The State of Security in Control Systems Today”[1]. They interviewed 314 persons from the system administration, operation and consultancy service provision of ICS. According to the report, 73% of respondents picked external attackers in top three threats, with 42% actually put it as the top threat. This reflected that the industry concerted that external attackers is the biggest threat of ICS.

 

The report also mentioned that documentation on the external connections of system is not sufficient, no matter the external connections were setup by third-party suppliers or internal operators or other persons. 74% of the respondents said that these connections were not fully documented. These connections may have connected to the Internet, resulting in exposure of critical infrastructure and risks of direct attacks.

 

What are Industrial Control Systems?
Industrial Control Systems (ICS) including the hardware and software systems that monitor and control physical facilities and processes for critical infrastructure, such as water supply, sewage treatment, oil drilling, natural gas exploration, power generation and transport system signal control, as well as general use in automated manufacturing, pharmaceutical processing and building management. In daily life, we encounter ICS in electricity and air conditioning control, building security and automated paid parking.

 

ICS continues to evolve and now has entered the fourth generation: Internet of Things (IoT). The development has resulted in more distributed ICS. For example, traffic lights can be connected via wireless network to the control centre. The command centre will make decisions in different traffic situations based on data collected from sensors along the roads and issue commands to individual traffic light.

 

What are the security risks?
Internet of Things has become an inevitable trend. Networked ICS device will be more popular and attacks targeting ICS will become more feasible technically and economically. If a vulnerability is found in the firmware of an ICS device, attackers can exploit the vulnerability remotely via Internet. They may take control of a networked ICS, resulting in various damages depending on the application of the ICS, such as interrupting the proper control of lighting or air-conditioning, disabling the function of alarms in building security system. If the ICS of critical infrastructure is compromised, it may affect the electricity and water supply of the city or cause traffic chaos. If any military facility is compromised, human lives and safety may be threatened. Furthermore, attackers can also penetrate through the entry of the ICS to the corporate intranet and carry other attacks.

 

Result of Study
HKCERT conducted a one-time research on December 9, 2015 using the Shodan (URL: www.shodan.io) Internet services search engine to search for mainstream ICS used in Hong Kong that are connected to the Internet using popular protocols. We found that totally 106 ICS devices can be discovered (see Table 1).

 

ProtocolNumber of Devices
 Bacnet 38
 Modbus 30
 EtherNet/IP 15
 Niagara Fox 15
 Siemens S7 8
 DNP3 0
 IEC-104 0
 Red Lion 0
Total: 106

Table 1: Discovered networked ICS devices with Protocols in Hong Kong 

 

Furthermore, out of the 106 devices found, 79 devices can be identified to a known brand of product by studying their responses to queries (see Table 2).

 

Brand of ICSNumber of Devices
 AutomatedLogic 20
 Rockwell Automation 15
 Tridium 15
 Siemens 15
 Perle 14
 (unknown) 27
 Total: 106

Table 2: Discovered networked ICS with brand name in Hong Kong 

 

We try to find more information on the vulnerabilities of the brands of products we discovered in our study in past five years. From the data of ICS-CERT on ICS, in the period from 2010 to 11 December, 2015, ICS-CERT issued 105 vulnerability alerts[2], and 492 vulnerability advisories [3]. There were 14 vulnerability alerts and 95 vulnerability advisories on the brands of ICS we found in the study.

 

Given the known brand of ICS devices, attackers can use the vulnerabilities of the related ICS system or device to launch attack. Since this type of system is not frequently updated, the opportunity for attackers to exploit these systems Is largely increased.

 

Smart city or smart home will be rapidly developed in the near future. Intelligent systems will be everywhere. When our home also entered to smart age, these security issues will become popular. We need understand the associated risks and enhance our security awareness so that when security incidents occur we are prepared for it.

 

HKCERT has the following recommendations for managers of ICS:

  1. Develop the risk management and crisis management process.
  2. Segregate the networks of the ICS and the corporate intranet using firewall.
  3. Do not connect ICS directly to the Internet. If there is a justified need for doing so, protect them with a firewall.
  4. If you need to access the Human Machine Interface (HMI) or connect to the devices remotely, you should use Virtual Private Network (VPN) or dial-up access.
  5. Use two-factor authentication when signing in to the Human Machine Interface or Virtual Private Network.
  6. Retain complete log records for ICS activities. Keep monitoring the activities and send out alert when abnormal activity is detected.
  7. Use MAC address locking function to prevent intruders from spoofing IP address to intercept and tamper data.
  8. Keep the control systems and device software updated.

Finally, the SANS survey report mentioned that the majority of respondents have obtained computer security related certification and thus they should have adequate knowledge in computer security. Yet 52% of the respondents did not possess any relevant certification in control system. So relevant training about control system security is important to allow them to have a thorough consideration when dealing with security issues.

 

If you want to know more about the security measures for ICS, you can refer to the “Guide to Industrial Control Systems (ICS) Security” NIST SP 800-82[4] published by the US National Institute of Standards and Technology.

 

[1] https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042

[2] https://ics-cert.us-cert.gov/alerts

[3] https://ics-cert.us-cert.gov/advisories

[4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf