According to the 2019 Global ICS & IIoT Risk Report published by CyberX, cyber-criminals are increasingly targeting the vulnerabilities of industrial control systems (ICSs) and the industrial internet of things (IIoT).
The report reflects the findings from data captured over the past 12 months from more than 850 production ICS networks across all industrial sectors. While the data showed that industrial and critical infrastructure organizations have improved their risk postures, major gaps still remain in key areas of their overall security strategies.
After analyzing real-world traffic from production ICS networks, researchers found that 69% of industrial sites have plain-text passwords across the network. Encryption failure in legacy protocols leaves sensitive credentials exposed, which makes the reconnaissance work of threat actors much easier.
In addition, direct internet connections and poor antivirus solutions make ICS soft targets for adversaries. The report revealed at least one direct connection to the public internet exists in 40% of sites. Now that operational technology (OT) networks are more frequently connected to corporate IT networks, leaving industrial networks connected to the public internet creates additional entryways for attackers.
Year-over-year trends revealed that the prevalence of Windows XP and other legacy Windows systems has decreased. In large part, this effort has come from top-down management since NotPetya struck. In 2017, three out of four systems remained unpatched, but the research showed a marked improvement, with only 53% of sites having outdated Windows systems like XP in 2018.
"We’re not here to create FUD, but we think it’s important for business leaders to have a data-driven view of ICS risk so they can ask the right questions,” said Dan Shugrue, senior director of industrial cybersecurity for CyberX, in a press release. “We’re definitely making progress in reducing ICS risk, but we have a long way to go. Reducing ICS risk is a journey – most of these ICS networks were designed decades ago, long before cybersecurity was a key design priority.”