New report sees big increases in cybersecurity risks for ICS/OT devices

Many of these systems—which control critical infrastructure such as energy, water and building automation—often are exposed with minimal security and exploitable vulnerabilities.

The vulnerabilities have real-world implications for safety, continuity and national security, highlighting the need for coordinated action from ISPs, manufacturers, integrators and policymakers, BitSight leaders argue in their assessment.  

Survey: Data quality issues costing manufacturers billions

According to the BitSight report, the increase in exposures stems from organizations relying largely on enterprise IT-grade firewalls and endpoint tools that were not designed to secure factory environments, where uptime is prioritized over data privacy. As a result of the gap between IT and OT, assets are exposed. 

Chris Di Biase, principal application engineer at Rockwell, agreed with BitSight’s observations. As he put it, traditional IT security tools interfere with operations, while in OT and plant floor environment, the emphasis is on keeping the machine running. 

“I do think that traditional IT security tooling has a very important role to play at a minimum with perimeter defense,” Di Biase said. “But its availability is the most important thing ... so unless you can prove to [manufacturers] that this is not gonna impact anything, they’re not gonna use it.” 

See also: The hardware problem that is stalling half of all digital transformation projects  

The report identified FrostyGoop and Fuxnet as two types of malware threatening these systems. That software can disable devices that use Meter-bus and Modbus protocols, to inflicting maximum damage.

“The bigger question is why this is happening,” Newton said.

He speculated that increased exposure within the last year could be from residual outcomes of industry 4.0, edge-to-cloud orchestration and increased drives towards AI. Although, he emphasized that it’s too soon to be sure of the cause and more time needs to pass to make sure this year wasn’t an “anomaly.” 

BitSight also showed that old gear that should have been retired, and new gear that should not be online, are weaknesses to blame. Those systems include Modbus, S7, BACnet, KNX and ATG.

Many of these systems are part of critical infrastructure. Combined with readily available ICS-aware tools, attackers have an efficient path from scan to real-world impact: pumps stall, lights flicker, heating fails and so do safety systems.  

See also: ‘Digital retrofitting’ of plant machines offers course through Industry 4.0 to Industry 5.0

In addition to more devices exposed to bad actors, security experts are finding new vulnerabilities in these devices.

The U.S. Cybersecurity and Infrastructure Security Agency tracks these vulnerabilities and regularly publishes advisories on newly found vulnerabilities that affect industrial control systems. Common vulnerabilities and exposures are rising almost every year. 

Almost 30% of these vulnerabilities have no patch or update available, according to CISA. 

Newton and Di Biase emphasized that these OT devices should not be internet-facing, and that other security measures won’t be as effective if the devices are discoverable on the internet. 

See also: Sensing a shift: Trends in smart industrial automation

“Off-the-shelf IT security components can be used to very great effect to secure the OT equipment if they’re applied carefully, and those things can be applied carefully by quite a few professionals in the IT sphere,” Di Biase said.  

“As long as the IT engineers that are doing the application understand the operational requirements of the plant floor, then they can do a really good job of helping partner with OT to secure these environments and, through security, improve availability of the applications and improve run time.”