Indian organizations are extremely vulnerable to critical infrastructure attacks: Kaushal Dalal, MD India, FireEye
FireEye released a recent report on the few key weaknesses faced by critical industrial systems. Enterprises in India are extremely vulnerable to these threats, as many of the industrial networks run on outdated systems that are difficult to patch. Kaushal Dalal, Managing Director for India, FireEye, shares some of the key vulnerabilities that Indian organizations are vulnerable especially with respect to critical infrastructure attacks
How different are industrial networks from traditional IT networks from a security perspective?
Industrial networks differ quite significantly from traditional IT networks due to the specific requirements of their operation. Industrial networks are more critical than traditional IT networks.They are the technological backbone of manufacturing lines, electric grids, water supplies, and production lines. Lives often depend on it. For example, consider how many systems in a hospital can affect patients.
Industrial networks often run on outdated systems which are difficult to patch. The hardware, such as PLCs, RTUs, VFDs, protective relays, flow computers, and gateway communicators, can be operational for decades and may operate too simplistically. It’s difficult if not impossible in some cases to add new security or new layers to ICS systems due to their age and design.
What are some of the soft targets for hackers in industrial networks?
Most industrial networks use outdated and unpatched Microsoft Windows operating systems. This is a soft and easy spot for attackers. ICS vendors often don’t have a list of third-party software and versions used in their products. Weak firmware integrity checks is also a weakness. Firmware (the code that enables an embedded device to perform its functions) is generally more difficult to change or update than software. Dozens of vulnerabilities involving password weaknesses in ICS devices and software from numerous vendors have also been disclosed. ICS hardware is often outdated and lack the processing power and memory to handle the threat environment presented by modern network technology
How vulnerable is India with respect to the vulnerabilities pointed out in the report?
Indian organizations are quite vulnerable to critical infrastructure attacks. India has underinvested in technology and cyber security for quite some time. This is now a significant problem. With the country rapidly embracing new technologies, connected systems, digitization and the concept of smart cities – it will only create additional vulnerabilities for Indian firms. Most Indian industrial systems run on old outdated hardware, use unpatched Microsoft Windows operating systems, use weak passwords and have undocumented third-party vendors. These are the few most common weaknesses observed by us.
It is important to keep industrial control systems separate from the rest of the network. It’s good to stay connected, but it’s better to allow the data to flow in a way that it also prevents unnecessary connectivity with unprotected networks. It is also safer to have two-factor authentication and allow limited, authorized access to the ICS systems.
What are some of the big vulnerabilities that should be of concern to Indian manufacturers?
There’s not just one, there are a million big vulnerabilities Indian manufacturers should be concerned about. Here are a few types:
• Access to Level 2 Allows a Threat Actor to Manipulate Processes: More than half the vulnerabilities discovered since 2013, deal with Level 2. Devices that directly control the processes, such as HMI and engineering workstations, reside here. Like having a master key, controlling one of those devices gives attackers control of any connected processes. For example, as seen in the attacks on the Ukrainian power companies in December 2014, once attackers have access to the HMI, they can open and close switches and actuators at will without exploiting additional vulnerabilities.
• Unauthenticated protocol remains one of the key vulnerabilities. Using unauthenticated protocols allows any computer connected to these networks to interact with the controlled process. For instance, the use of Modbus/TCP allows any device on the network to alter a set point within the process logic executed by the controller.
• Engineering workstations and HMIs often run outdated and unpatched Microsoft Windows operating systems, leaving them exposed to known vulnerabilities. Exploit kits frequently incorporate exploits for older and unpatched systems, even if patches are available. These can affect unpatched or outdated HMI computers accessing the Internet. For example, advanced threats, such as APT 17 and actors using Kraken malware, continue to target Windows XP and Windows Server 2003.
What recommendations would you give Indian organizations to address the weaknesses seen in industrial systems?
We recommend plant managers, operators and field technicians to take a few steps to mitigate and address the weaknesses seen in industrial systems:
• Implement bump-in-the-wire authentication solutions or VPNs
• Incorporate deep packet ICS firewalls that block unauthorized commands from certain IP addresses
• Configure restrictive access control lists and firewall rules, to minimize network connectivity of devices with outdated hardware
• Consider upgrades for older devices that have network connectivity and support critical process control functions
• Monitor device logs and network traffic for attempts to exploit password weaknesses
• Obtain software/firmware directly from the vendor and not third-parties. Examine ICS products to identify third-party software before operational deployment
• Monitor the network for firmware and logic updates
• Maintain an inventory of operating systems used in an industrial environment that are unpatched or no longer supported
• Request or require that vendors validate patches for the third-party software to ensure interoperability