You only need to look at the chaos caused by a ransomware attack launched against Colonial Pipeline this year – leading to panic buying and fuel shortages across part of the US – to see what real-world disruption cyber incidents can trigger, and their consequences can go far beyond the damage one company has to repair.
It was only last month that the Port of Houston fended off a cyberattack and there is no reason to believe cyberattacks on operational technology (OT) won’t continue – or, perhaps, become more common.
On Friday, CloudSEK’s Sparsh Kulshrestha published a new report exploring ICSs and their security posture in light of recent cyberattacks against industrial, utility, and manufacturing targets. The research focuses on ICSs available through the internet.
“While nation-state actors have an abundance of tools, time, and resources, other threat actors primarily rely on the internet to select targets and identify their vulnerabilities,” the team notes. “While most ICSs have some level of cybersecurity measures in place, human error is one of the leading reasons due to which threat actors are still able to compromise them time and again.”
Some of the most common issues allowing initial access cited in the report include weak or default credentials, outdated or unpatched software vulnerable to bug exploitation, credential leaks caused by third parties, shadow IT, and the leak of source code.
After conducting web scans for vulnerable ICSs, the team says that “hundreds” of vulnerable endpoints were found.
CloudSEK highlighted four cases that the company says represents the current issues surrounding industrial and critical service cybersecurity today:
An Indian water supply management company: Software accessible with default manufacturer credentials allowed the team to access the water supply management platform. Attackers could have tampered with water supply calibration, stop water treatments, and manipulate the chemical composition of water supplies.
The Indian government: Sets of mail server credentials belonging to the Indian government were found on GitHub.
A gas transport company: This critical service provider’s web server, responsible for managing and monitoring gas transport trucks, was vulnerable to an SQL injection attack and administrator credentials were available in plaintext.
Central view: The team also found hardcoded credentials belonging to the Indian government on a web server supporting monitors for CCTV footage across different services and states in the country.
The US Cybersecurity and Infrastructure Security Agency (CISA) was informed of CloudSEK’s findings, as well as associated international agencies.
“Owing to an increase in remote work and online businesses, most cybersecurity efforts have been focused on IT security,” says Sparsh Kulshrestha, Senior Security Analyst at CloudSEK. “However, the recent OT attacks have been a timely reminder of why traditional industries and critical infrastructure need renewed attention, given that they form the bedrock of our societies and our economies.”
Previous and related coverage
FBI arrests engineer for selling nuclear warship data hidden in peanut butter sandwichMcAfee/FireEye merger completed, CEO says automation only way forward for cybersecurityRansomware: Even when the hackers are in your network, it might not be too late
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0