Thousands of organizations around the world are using industrial control systems (ICS) exposed to the public internet, new analysis from Bitsight has found.
The firm discovered nearly 100,000 directly exposed ICS across its inventory of global organizations, including Fortune 1000 businesses.
This internet exposure makes it easier for threat actors to infiltrate and control physical critical infrastructure including power grids, traffic light systems, security systems and water systems, the report said. For example, if a targeted device is password-protected, the attacker can attempt to brute-force their way in rather than having to conduct a sophisticated network attack.
Having such systems exposed to the internet has been highlighted as a significant cyber risk by the Cybersecurity and Infrastructure Security Agency (CISA).
Critical Infrastructure a Major Target for Cyber-Attacks
The report noted that physical critical infrastructure has become a major target for attackers, including nation-state actors. In September 2023, it was revealed that a China-linked group compromised multiple computers used to run a national power grid in an unnamed Asian country.
Security researchers have also highlighted the ongoing targeting of energy networks in Ukraine by Russian-linked attackers.
Attacks on these systems can have especially severe consequences beyond data and IP compromise, such as critical services not running and threats to human safety.
ICS operate range of physical systems, affecting many sectors. These include controlling building management systems that operate technology like elevators, escalators and fire and safety.
The sectors with the highest number of ICS were education, technology and government/politics, according to Bitsight.
Encouragingly, the researchers observed a decline in the number of ICS exposed to the public internet from 2019 to June 2023. This suggests organizations recognize the dangers and are taking steps to switch to other technologies or removing previously exposed ICS from the public internet.
How to Secure Exposed ICS
The Bitsight report set out a number of actions for organizations, including ICS manufacturers, to protect against the risks of physical systems being exposed to the internet.
Organizations:
- Identify and assess any ICS deployed internally and by third party suppliers
- Remove any ICS from the public internet
- Employ safeguards to protect against unauthorized access to ICS
Manufacturers:
- Ensure device security is improved prior to deployment using secure-by-design principles
- Leverage data and insights to improve the security posture of deployed equipment and machinery
- Build programs to accurately and swiftly detect misconfigured or otherwise exposed systems