This is the first of a two-part series from cybersecurity expert Dan Ricci on OT and ICS exposure points such as misconfigurations and insecure remote access that jeopardize processes beyond the risks introduced by software and firmware vulnerabilities.
Operational technology (OT) systems are exposed in many places that leave them vulnerable to malicious actors beyond known software and firmware vulnerabilities. There are intricate challenges with each potential exposure point, which range from poorly configured devices and network connections, to supply chain risks, and insider threats. Asset owners must consider these non-traditional OT exposures to understand the multifaceted challenges and the proactive measures necessary to safeguard critical infrastructure.
OT and industrial control systems (ICS) are the backbone of critical infrastructure, powering entities such as power stations, water purification systems, and transport networks. Yet, these systems are not impervious to cyber threats, often falling prey because of poorly configured devices and systems.
Legacy OT systems, for instance, frequently operate on outdated software devoid of adequate user and system authentication, data authenticity verification, or data integrity checking features. These shortcomings, thereby, grant attackers unrestricted access to systems. Moreover, while newer ICS assets may be inherently more secure, they often present an expanded attack surface due to their integration with internet or IT network connectivity for remote control and operations.
These vulnerabilities are not theoretical, and have already caused significant harm, as demonstrated by the 2015 cyber-attack on Ukraine's power grid, which resulted in a blackout that affected more than 200,000 people. The attackers were traced back to Russian state-sponsored hackers who used malware to manipulate ICS/OT systems.
Another example is the global ransomware attack on JBS Foods in May 2021, which disrupted meat production across North America and Australia, impacting the supply and price of meat, and affecting farmers with livestock operations.
These incidents underscore the need for robust cybersecurity measures to safeguard ICS/OT systems beyond scheduling downtime to apply patches and updates. Steps must be taken to ensure that all systems and devices are correctly configured and secured to ward off potential attacks. Failure to do so could result in severe consequences, including widespread disruptions of essential services, economic losses, and even loss of life.
It is imperative to understand where non-traditional exposures exist, in particular when remote access is permitted in OT environments.
For instance, 4G LTE modems that are often used for remote connectivity can be vulnerable to attacks if not adequately secured. Misconfigurations of 4G LTE modems in ICS/OT environments could potentially lead to serious security exposures. Still, the specifics can vary greatly depending on the device model, firmware version, network environment, and other factors.
However, three general misconfigurations that could potentially apply to 4G LTE modems include:
Default Credentials: Failing to change default usernames and passwords for connected industrial equipment—many of which can generally be found in documentation or online—exposes devices as easy targets for unauthorized access.
Open Ports: Unnecessarily open ports can directly expose the device to the internet and attackers using internet scanning services can easily identify them and attempt to exploit known vulnerabilities or default credentials.
Insecure Remote Management Settings: An attacker could remotely control the device if remote management settings are insecure such as unrestricted access, default credentials, and no access control list.
While industrial equipment should never be directly connected online, a virtual private network is not always a guarantee of a secure connection if poorly configured. Attackers can abuse an insecure VPN setup as an entry point into the network. Some of those misconfigurations include:
Inadequate Encryption: VPNs use encryption to safeguard data transmitted over the internet. Subpar encryption can render the VPN traffic prone to decryption and potential data breaches. For example, multiple security vulnerabilities have been identified in the Point-to-Point Tunneling Protocol (PPTP), inclusive of weak encryption algorithms, which have rendered it a prime target for attackers.
Missing Multifactor Authentication (MFA): MFA can be a robust defense against unauthorized account access when applied to remote desktop access, for example. Given that the Remote Desktop Protocol (RDP) is frequently exploited as a gateway for ransomware, the role of MFA in thwarting malicious cyber activities should not be dismissed. It's crucial that no user, including administrators, is exempt from MFA requirements.
Furthermore, misapplications of privileges or permissions, and inaccuracies in access control lists can hinder the proper implementation of access control rules. Such oversights could potentially grant unauthorized users or system processes access to sensitive resources.
Secure Shell (SSH) protocol enables secure remote login and other network services over an unsecured network. SSH use is observed in some industrial network switches and control system devices (e.g., PLCs, HMIs, engineering servers/workstations, jump hosts) in OT environments. However, misconfigurations in SSH can lead to significant security vulnerabilities. Here are some examples:
Default Settings: A common misconfiguration is using default settings, which can simplify the process for attackers to gain system access. For example, using default or weak passwords or not changing the default port (22) can expose the system to brute-force attacks.
Unnecessary Features: Activating unnecessary features can expand the system's attack surface, making it more susceptible to attack. For instance, allowing root login or permitting empty passwords can provide an easy access point for attackers.
Outdated Configurations: Neglecting regular updates can leave systems vulnerable to attacks. It's essential to regularly review and update SSH configuration settings to enhance system security, such as disabling outdated cryptographic algorithms and enforcing robust key authentication.
Inadequate Access Control: Weak or compromised credentials account for many security breaches. Relying solely on default SSH configurations may not enforce stringent access control measures. Key-based authentication should be used instead of password authentication to enhance access control.
Open Outbound Ports for SSH: Allowing outbound access to SSH is a common cloud misconfiguration. Application servers rarely need SSH to other network servers, so it's unnecessary to use open outbound ports for SSH. Outbound port access should be restricted, and the principle of least privilege should be applied to limit outbound communications.
Jump hosts—also known as jump servers or jump boxes—which serve as an intermediary server for remote access, can be another potential weak point. If a jump host is compromised, it can provide a pathway for an attacker to move laterally within the network, potentially gaining access to critical ICS/OT devices. Here are a few examples of jump host misconfigurations:
Pre-set Configurations: Hastily deployed jump hosts may be equipped with pre-set configurations, including default usernames and passwords and unnecessary services. If these pre-set configurations are not modified during the initial setup, the jump host could be vulnerable to unauthorized access.
Unsecured Ports: Certain jump hosts might have unsecured ports that are not required for user operations. Attackers could manipulate these unsecured ports to gain unauthorized access to the network.
Redundant Features Activated: Jump hosts frequently have several features activated by default, some of which might not be essential for operations. These redundant features could amplify system vulnerabilities.
Improper Firewall Rules: If the jump host's firewall rules are not correctly configured, the network could be exposed to potential intrusions.
Unsecured Remote Management Configurations: If the jump host's remote management configurations are unsecured, an attacker could remotely control the network.
These examples underscore the importance of robust cybersecurity measures, including proper configuration and regular updates, in protecting ICS/OT systems from potential cyber threats. Stay current with the latest threats and implement comprehensive security measures against potential attacks.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.