The rise of the Internet of Things (IoT) has ushered in a new niche of widespread security vulnerabilities. Apart from attacking obvious targets like consumer devices and smart home appliances, hackers can exploit this niche to target and remotely seize control of a wide range of critical public and private infrastructure. A large number of these potential targets are run by legacy Industrial Control Systems (ICS) that were designed without cybersecurity in mind and are thus extremely vulnerable to cyberattacks.
Our research found that despite growing investments in infrastructure security, many ICS panels for both public and private infrastructure in the US are still unprotected and easily accessible to hackers.
All of these control systems are left out in the open and easy for anyone to seize and manipulate. In the event of a coordinated cyberwarfare campaign, these control panels could be used by attackers to cause severe damage to private and public property, the environment, and public health and safety in the US.
Cybersecurity experts have been raising awareness of such issues for decades, yet the lack of tangible progress in industrial cybersecurity may lie in the usage of off-the-shelf tech. According to Morey Haber, CTO and CISO at BeyondTrust, “the problem is not a lack of understanding of the situation, but rather the time, cost, process, and suitable replacements for legacy technology. With many control systems based on commercial off-the-shelf (COTS) technology, end-of-life scenarios and the lack of affordable extended support solutions renders environments paralyzed balancing budgets between replacing systems or paying for high price extended maintenance.”
About this research
By scanning IP blocks for open ports in the US IP address range as part of an internet mapping project, we found a number of unprotected and accessible Industrial Control Systems in the country.
What we discovered
Industry, institutions, and cybersecurity experts are all aware of the dangers associated with outdated ICS systems. But as our research shows, many ICS access points in the US, particularly in water and energy sectors, are still vulnerable to attacks:
- By using search engines dedicated to scanning all open ports, or scanning the ports themselves, hackers can remotely take control of critical private and public US infrastructure
- Unprotected ICS access points mostly include the energy and water industries: offshore and onshore oil wells, as well as public and private water distribution and treatment systems
- These systems could be accessed by anyone – with no passwords at all
What follows is a set of real examples of unprotected and vulnerable Industrial Control Systems that have been left completely in the open for anyone to seize control of. Open access to these systems has now been disabled – after we contacted CISA, CERT, and their public and private owners.
Onshore oil wells
By accessing exposed onshore oil well ICS, we could take control of multiple oil silos and cause damage to US energy supply by silencing alarms, opening and closing discharge gates, adjusting freefall setpoints, and more.
Coastal oil wells
Unprotected offshore oil well control systems gave a single access point to as many as five coastal oil wells. This is incredibly dangerous, as offshore oil rigs are particularly vulnerable to attacks “as they shift to unmanned robot platforms where vital operations […] are controlled via wireless links to onshore facilities.”
This means that in the event of a hostile takeover, there’s a likelihood that no human employees would be present to manually override the attackers’ commands.
Public water distribution system
We found an unprotected public water distribution system that would allow us to shut off the water supply for more than 600 people, causing a targeted water outage for an entire town that threat actors could potentially synchronize with arson attacks.
Public water treatment facilities
We discovered multiple water treatment facilities left out for anyone to access, allowing us to interfere with sanitization processes and potentially make drinking water unsafe to consume for more than seven thousand people in total.
A public sewer pump station
An exposed control panel allowed us to seize manual control of a sewer pump station in a town of more than 18,000 residents and potentially damage an entire town’s sewer system by adjusting sewage flow speeds or shutting the system altogether.
Significance of the discovery
Virtually anyone with a specific skill set and a special interest can cause harm to critical US infrastructure. From silencing alarms on oil wells, to infecting the water supply by shutting down disinfectant production, to causing town-wide or farm-wide water outages, such attacks could physically affect thousands of people.
In the face of a major geopolitical conflict, these systems can be used by state-sponsored actors to cause untold amounts of damage in the US – to the civilian population, the local economies, and the environment. Several countries are major players in attacking (or supporting cyberattacks on) US targets – Iran, China, and Russia (with Russia being the source of the most sophisticated cyber intrusions).
Gabriela Ariza, a cybersecurity specialist working with the US government through Motorola Solutions, believes that we already live in a digital “cold war era” as critical state infrastructure already fully depends on online systems and computers. According to Ariza, the US electric grid is “split in three parts and the moment a hacker sabotages this system, the West Coast would not be able to communicate with the East Coast. Our transportation system can come to a halt, which would make our day-to-day activities that require electricity and internet no longer possible. The longer the attackers can keep the systems down, the more control they have to attack.”
On the other hand, Corey Nachreiner, CTO of WatchGuard Technologies, believes that even though attacks on American ICS systems are possible, it doesn’t mean that such cyberattacks would be practical or likely. Nachreiner predicts that ICS systems will be a target in modern warfare, but asserts that “an attack on an ICS system will essentially be a statement of war, and such attacks would receive a kinetic response. It is possible, but we hope and believe that state-actors will reserve such actions for only the worst conflicts.”
In the event of a conflict – however unlikely – domestic critical infrastructure would be on the front line of cyberwarfare against the US. In light of this, an up-to-date approach to the cybersecurity of critical US infrastructure should be a national security priority. While most American institutions and companies are well aware of the ever-growing threats from hostile actors, there seems to be a lack of urgency and will to enforce adequate protection in all industrial control systems at the moment.
What now and what’s next?
As numerous American ICS systems remain exposed to cyberattacks, security experts, academics, and legislators continue to collaborate on finding more effective ways to improve critical infrastructure security before it’s too late.
Nir Kshetri, Professor at the University of North Carolina-Greensboro and a research fellow at Kobe University, argues that there are multiple possible ways forward. “One possibility would be to use an “analog” approach, which involves taking the grid offline. Another approach is to break up the operation into many components like the system in California. The operators can isolate areas readily in order to control the system. It makes it difficult to take the grid down,” says Prof. Kshetri.
He adds that effective institutional measures to protect critical US infrastructure are already being put in place, such as the North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) plan. According to Prof. Kshetri, NERC CIP “aims to improve the North American power system’s security through a range of efforts such as standards development, compliance enforcement, and assessments of risk and preparedness. Additional efforts undertaken include the dissemination of critical information and the creation of awareness regarding key cybersecurity issues. Penalties for non-compliance include fines, sanctions, or other actions.”
However, even institutional willingness to bolster ISC security may not necessarily make it a straightforward affair. Trevor Daughney, VP of Product Marketing at Exabeam, argues that legacy ISC systems are using operating systems so outdated that it can make them too dangerous to patch or update. According to Daughney, “even a vulnerability scan has been known to break a PLC or void a warranty — there is a delicate balance between system design and the often understaffed team needed to protect it. And this is likely exacerbated by the current climate. The fact is these systems were never designed with security in mind, they were designed simply to work. To help secure and run these systems, plants then try to fill the staffing and expertise gap by relying on third-party partners, thereby increasing the risk.”
Jason Ortiz, Senior Product Engineer at Pondurance, adds that “there is always a new security tool to consider but tools alone will not suffice. Humans and monitoring have to be part of the solution and that solution is a continual process of security. It is a cultural and technological cycle, not a one-time solution. I don’t think I would ever say we couldn’t benefit from more training and more collaboration. Both of those need to be part of the security culture of infrastructure and ICS vendors.”
We notified CISA and CERT about the above vulnerabilities and contacted the public and private owners of these industrial control systems in January 2020. Open access to these systems has since been disabled.