Many industrial control system are exposed to the internet, creating a severe risk because most are hopelessly insecure, according to a new study by Kaspersky Lab.

To minimise the possibility of a cyber-attack, Industrial Control Systems (ICS) are supposed to be run in a physically isolated environment. In total, 188,019 hosts with ICS components available via the internet have been identified in 170 countries.

The vast majority (92 per cent, or 172,982) of remotely available ICS hosts have vulnerabilities. Most (87 per cent) of these hosts contain medium risk vulnerabilities and seven per cent of them have critical vulnerabilities.

And 91.6 per cent (172,338 different hosts) of all the externally available ICS devices use weak (normally unencrypted) internet connection protocols, which opens the opportunity for attackers to conduct man-in-the-middle attacks.

Kaspersky Lab researchers found 13,033 vulnerabilities on 11,882 hosts (6.3 per cent of all hosts with externally available components).

The study passively looked at industrial control systems in organisations including energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and drink, governmental, financial and medical institutions.

“Our research shows that the larger the ICS infrastructure, the bigger the chance that it will have severe security holes,” said Andrey Suvorov, head of critical infrastructure protection, Kaspersky Lab. “This is not the fault of a single software or hardware vendor. By its very nature, the ICS environment is a mix of different interconnected components, many of which are connected to the Internet and contain security issues.”

Sophisticated attacks on ICS systems are rare but not unprecedented. Last year an organised group of hackers called BlackEnergy APT attacked a power companies in Ukraine. In a separate attack, hackers attacked Kemuri Water Company’s control system and changed the levels of chemicals being used to treat tap water.

Attacks on industrial control systems at a steel mill in Germany back in 2014 give a cause for concern.

The number of vulnerabilities in ICS components has increased tenfold during the past five years: from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015. The most vulnerable ICS components were Human Machine Interfaces (HMI), Electric Devices and SCADA systems.

Kaspersky Lab’s analysis was based on OSINT (Open Source Intelligence) and information from public sources like ICS CERT. More on the Industrial Control Systems Threat Landscape survey – including recommendation for improving the security of industrial control systems – can be found in a post on Securelist.com blog here. ®