Critical infrastructure at risk: researchers identify over 43,000 unprotected SCADA devices
December 2020 by Modbus and S7
According to research from A&O IT Group, the number of IoT/SCADA devices connected to the public internet without appropriate security measures in place is increasing, leaving these critical devices open to potential attack and hacking attempts. Despite a number of high-profile attacks on SCADA systems, the majority of devices and protocols are not being robustly protected, however some – particularly Modbus and S7 – are being taken more seriously from a security perspective.
“Since our last investigation in January 2020, the number of unprotected SCADA devices has increased, highlighting a gap between the connectivity of these devices and security,” said Hodei Lopez, security consultant at A&O IT Group.
The increase seems to be linear across all protocols, and one theory is that this could be a consequence of making systems available to a remote workforce due to the COVID-19 pandemic.
This research, which was compiled by A&O IT Group by scanning for unprotected devices on Shodan, focussed on six groups of SCADA devices, the total of which came to 43,546 unprotected devices: Tridium (15,706); BACnet (12,648); Ethernet IP (7,237); Modbus (5,958); S7 (1,480); DNP (517). “We’ve recently seen a rise in the number of IoT/SCADA devices connected to the internet, but there is a real mixture when it comes to their security. Some users of protocols such as Modbus and S7 are demonstrating improvements in their security posture, but others are not seeming to consider security at all,” explains Hodei Lopez, security consultant at A&O IT Group. “Modbus and S7 are extremely mature technologies that have spent a long time in the public eye, therefore they’re more scrutinised and tend to be seen as more targetable than others such as Tridium and BACnet, which leads to the former two being more protected and isolated than the latter, as reflected in our findings.”
Through their research, the A&O IT Group team discovered that the United States comes out top in terms of the biggest attack surface with a total of 25,523 unprotected devices and has the highest amount of unprotected Modbus (1,445), Tridium (10,483), DNP (294), BACnet (8,146) and Ethernet IP (4,843) devices. The only devices out of the six investigated where the US doesn’t have the most are the S7 devices, but they are a close second with 312 vs. Germany’s 321. Furthermore, many of the S7 devices in the US are Conpot honeypots, indicating a higher level of alertness. This backs up the joint advisory from CISA and the NSA released in July of this year, which suggested that more sophisticated IoT attacks and malware are expected by the US. Others high up the list of the top ten countries with unprotected devices include Canada as well as a number of European countries such as Spain, Germany, France and the United Kingdom. The majority of the devices found in the UK are Tridium devices of which there are 583.
“Critical infrastructure runs on legacy networks which previously were air gapped by being kept separate from the IT network. Now due to an increasing demand for connectivity and the ability to work remotely, these legacy networks, which are often 25+ years old, are becoming connected. As a result, this infrastructure that essentially runs the world, has been opened up to a number of vulnerabilities and other security issues, leaving them open to cyber attack.
“Due to these previously stand-alone legacy networks now being connected to IT networks, cyber security for critical infrastructure is vital but somewhat lagging, and the first mistake security teams make is assuming that they can implement operational technology (OT) security by cloning their existing IT security strategy, but this is simply not the case,” says Hodei Lopez, security consultant at A&O IT Group. “However, there is a lot organisations in industries such as manufacturing, production and energy can do to protect themselves, starting with visibility. In order to secure their entire infrastructure, it’s vital that organisations have a clear view of all of their assets connected to the network. Without this, vulnerabilities will be missed and provide an attacker with a clear path into the network,” concludes Hodei Lopez.
What else can organisations do to protect themselves? Firstly, as mentioned, visibility is key for security teams to know what assets are on their network and to avoid falling victim through unknown vulnerable devices. The importance of mapping the network and having a constantly updated and live list of active and dormant assets should not be underestimated.
Secondly, the importance of having a proper, secure infrastructure cannot be overstated. OT devices should be isolated from the company’s general IT network, usually behind a second firewall. The idea is that the networks are “separate but together”, not just one big network. Continuous security monitoring of the network and environment is also critical. Finally, a continuous improvement in the networks is necessary. Firmware patches should be applied to firewalls and switches as soon as possible after testing, perimeter devices (such as firewalls or machines exposed to the internet) being a priority. Strong internal controls should be applied to restrict traffic that might not be trusted, and networks should always follow the rule of least privilege, not only for devices, but for users as well.