Industrial control systems are increasingly being connected to the Internet, which means they’re vulnerable to the same kinds of misconfiguration and software vulnerability problems as devices on IT networks. It’s particularly worrisome if the operational network can link to the IT networks.
How big a problem? SecurityWeek.com recently interviewed several vendors who sell solutions designed for protecting ICS systems and discovered a number of horror stories on customer networks, like these:
–A network administrator at a company temporarily connected a router with known vulnerabilities to the Internet for maintenance purposes. The main firewall was configured to limit the access from the Internet to a specific PC as a precaution. However, the network connectivity of the router to a SCADA (supervisory control and data acquisition) switch wasn’t right, leaving it — and the entire ICS network — open to attack;
–All of a manufacturing plant’s ICS devices were from a tier-1 provider, except for one PLC (programmable logic controller) which was from an obscure supplier. One customer asked the manufacturer to use that specific PLC to produce their products so their engineers could connect remotely and modify its configurations. It’s nice to be attentive to a customer. However, a regulator discovered the device also could have been hacked;
–A vendor doing a cybersecurity assessment of a food and beverage facility in Europe discovered that not only could the plant’s office network be accessed from its ICS (and vice versa), so were the networks of dozens of other facilities in other parts of the world, including some that had been sold to a competitor and no longer belonged to that company. “The most surprising finding was that the ICS network was also accessible from a terminal in the plant’s canteen, which was located outside the plant’s perimeter and offered breakfast and lunch to outside visitors.”
Some of these problems are due to misconfigurations, and some are due to network complexity after acquisitions. Whatever the cause they are perfect examples of why industrial control systems and the networks they are attached to have to be carefully scrutinized.