FireEye has recently announced the release of its ‘Subversive Six’ report, which is the result of a focused analysis of the industrial sector by experts at FireEye iSIGHT Intelligence. Industrial enterprises including electric utilities, petroleum companies, and manufacturing organizations invest heavily in industrial control systems (ICS) to efficiently, reliably, and safely operate industrial processes. The FireEye report identifies the six areas of vulnerability in a typical industrial scenario:
- Unauthenticated protocols – Many ICS protocols operate without authentication—the ability to ensure that data comes from a trusted source. Effectively, any computer on the network can send commands that alter the physical process, leading to incorrect process operation that can damage goods, destroy equipment, harm personnel, or degrade the environment. Source authentication is normally achieved by verification and use of cryptographic keys.
- Outdated hardware – ICS hardware can be operational for decades, and may operate too simplistically or lack the processing power and memory to handle the threats presented by modern network technology.
- Weak user authentication – ICS users commonly authenticate with passwords, and weaknesses in legacy control systems often include hard-coded passwords, easily cracked passwords, passwords stored in easily recoverable formats, and passwords sent in clear text. An attacker who obtains these passwords can often interact with the controlled process at will.
- Weak integrity checks – Integrity checking, the ability to verify the integrity and origin of data or code, is normally achieved by cryptographic verification, and weaknesses include weak software signing, weak firmware integrity checks, and weak control logic integrity checks.
- Vulnerabilities affecting Windows operating systems – Engineering workstations and Human-Machine Interfaces (HMI) often run outdated and unpatched Microsoft Windows operating systems, leaving them exposed to vulnerabilities. In some cases, this means that adversaries may access industrial systems without needing specific knowledge of the control systems.
- Undocumented third-party relationships – ICS asset owners seldom document and track third-party dependencies in ICS software they operate, and many ICS vendors may not immediately know the third-party components they use, making it difficult for them to inform their customers of the vulnerabilities. Adversaries aware of these dependencies can target software the industrial firm may not even know it has.
“With the increased demand to have operational technology (OT) networks connected to internet enabled networks for Real Time Telemetry (RTT), we are seeing a corresponding increase in opportunities for adversaries with malicious intent to undermine organizations in the industrial sector that are less security-conscious. It is becoming even more important that organizations employ the right resources to identify and plug their security gaps to prevent future threats,” said Stuart Davis, Director, Middle East, Mandiant (A FireEye Company). “In 2017, we expect the number of politically and financially motivated attacks to increase. At FireEye, our aim is to continuously assess and provide industry insights that can inspire a higher focus on security across industry verticals.”