More than nine in 10 (91%) industrial organizations are vulnerable to cyber-attacks, according to a new report by Positive Technologies.
The study found that external attackers can penetrate the corporate network in all these organizations, and once inside, can obtain user credentials and complete control over the infrastructure in 100% of cases. In over two-thirds (69%) of these cases, external attackers can steal sensitive data from the organization, including information about partners and company employees and internal documentation.
In addition, penetration testers from Positive Technologies gained access to the technological segment of the network of 75% of organizations. This then enabled them to access industrial control systems (ICS) in 56% of cases.
Once malicious actors gain access to ICS components, they have the opportunity to cause severe damage and even fatalities — this includes shutting down entire productions, causing equipment to fail and triggering industrial accidents.
Positive Technologies said there is a range of factors that are making these organizations vulnerable to hackers. For example, during recent PT NAD pilot projects, its experts uncovered numerous suspicious events in the internal network of each industrial company. In one case, PT NAD registered an RDP connection to an external cloud storage, enabling 23 GB of data to be transferred to the address of this storage via RDP and HTTPS.
The vendor also noted that industrial companies often use outdated software and commonly save connection parameters (username and password) in a remote access authentication form, allowing attackers to connect to the resources of an isolated segment without credentials when they obtain control over such a computer.
The potential impact of an attack on an industrial organization was demonstrated during a virtual cyber-range at The Standoff 2021. In one scenario, within two days, attackers gained control of the gas station, halting the gas supply and causing an explosion.
Olga Zinenko, senior analyst at Positive Technologies, commented: “Today, the level of cybersecurity at most industrial companies is too low for comfort. In most cases, internet-accessible external network perimeters contain weak protection, device configurations contain flaws, and we find a low level of ICS network security and the use of dictionary passwords and outdated software versions present risks.”