[Report] Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries
TrendMicro published research at the end of October revealing how exposed human-machine interface (HMI) systems in thousands of critical water and energy organizations around the world could be exploited, causing significant real-world impacts, such as contaminating the water supply.
A vast majority of the identified exposed systems are from smaller energy and water organizations that feed the major enterprise supply chain, which serves the general public.
With access to an exposed HMI system, an attacker is not only able to see all the information about critical systems, but can also interact with and abuse these interfaces.
In the report, Trend Micro researchers detail potential attack scenarios that would have substantial real-world impacts to critical infrastructure using information found in the exposed systems. This information includes the type of device, physical location, and other system-level details, which can all be used to inform a potential attack.
Attackers may soon turn their attention to exploiting these exposed systems due to an increase in new vulnerabilities found this year. Trend Micro’s Zero Day Initiative has published nearly 400 SCADA-related vulnerability advisories in 2018 so far – a 200 percent increase compared to the same time last year.
Based on a recent survey by Trend Micro, operational technologies like these have not typically been managed by IT or security teams. The ongoing confusion around who in an organization is responsible for securing connected devices often leaves them more at risk.
The primary goal of this research is to demonstrate just how easy it is to discover and exploit cyber assets in the water industry and energy sectors using basic open-source intelligence (OSINT) techniques. Given the extreme importance of these two sectors, a more aggressive agenda needs to be urgently pursued to better protect and safeguard water and energy CI from cyber attacks.
Using Shodan and Shodan IP histories, TrendMicro’s team collected data on internet-exposed energy and water HMIs. All the oil and gas HMIs, the team, found were located in the U. S., with the only exception being a drilling rig controller in the Middle East. Exposed biogas HMIs were found only in Europe, with Germany and France having the most number of these devices/systems exposed online. Power system HMIs were found mostly in Europe, one in Asia, and surprisingly none in North America. Water utility HMIs were discovered all over the globe.
The HMIs discovered were accessible via unauthenticated VNC servers; a potential attacker can interact with these exposed HMIs using a VNC viewer. Alarmingly, many of these exposed HMIs have critical functionalities like start, stop, reset, alarm, parameter changes, and so on, easily accessible by anyone. If an attacker accesses these exposed HMIs, then they can inflict severe system damage or cause failures.
Download the full report to read all the findings. In the end, this 68 pages report provides defensive strategies for protecting the central ICS equipment and the supply chain of the water and energy sector. Furthermore, the report contains information about other important related topics including cyber-attacks against third-party contractors/integrators and insider threats.