ICS-CERT report finds more than 600 IT security weaknesses in US critical infrastructure

Water, energy and gas supply all vulnerable, warns ICS-CERT

The trend for connecting critical infrastructure to the internet has led to more than 600 IT security weaknesses being found in industrial control systems (ICS) in critical infrastructure in the US.

The security flaws affect infrastructure controlling water, energy and gas supplies, according to a new report from the US ICS-CERT.

The report covered 112 assessments carried out by ICS-CERT in 2015 on facilities across the US as part of the organisation's remit to "prevent, protect against, mitigate and respond to cyber and communications disruptions to critical infrastructure".

The assessments comprised 46 Design Architecture Reviews and 28 Network Architecture Verification and Validation checks carried out directly with critical infrastructure operators and owners.

A further 38 were Cyber Security Evaluation Tool tests that can include self- assessments by critical infrastructure operators. Data from these tests is not retained by ICS-CERT.

The inspections revealed a worryingly high 638 weaknesses, the most common of which was ‘boundary protection', which ICS-CERT said could have serious consequences.

"Boundary protection effectively slows attack processes and facilitates detection, analysis and notification of unauthorised activity to support operational and incident response," said the report.

"[Without] strong protection, attackers can more easily penetrate the network boundary around critical assets, access valuable information and manipulate systems controlled by ICS."

Another major problem was ‘least functionality', which covers the principle of reducing risk by giving employees only the systems access they require. ICS-CERT said that it found numerous problems concerning this threat.

"Specific issues include insufficient use of whitelisting; employing insecure, outdated or otherwise vulnerable operating system services; and leaving communications ports accessible when not required for system operations," the report said.

"Shutting down all non-essential ports, services and applications reduces the attack surface of the ICS and improves the ability to monitor and provide analysis of essential communications traffic."

The ICS report also identified new IT trends that pose a risk to critical infrastructure, including inadequate security controls for virtual machines and remote access tools, and the rise of bring-your-own-device policies.

"Use of BYODs to access personal email, web pages and social media applications is inherently high risk to ICS. This risk must be considered by the organisation, and appropriate measures, such as mobile device management systems, should be put into place to mitigate the risk to acceptable levels," said the report.

An increase in the use of cloud services by critical infrastructure owners and operators was also noted as being of concern.

"Organisations must ensure that the parts of any ICS architecture hosted externally have a level of security consistent with the criticality of the functions of the ICS operation," the report said.

"Organisations must also consider ICS operational information integrity, security and confidentiality, as well as the functional and operational details associated with recovery, event/incident management, failover, forensic support, monitoring and other operational sequences that require special support by the cloud-hosting service provider."

The assessments covered several sectors, as the diagram below shows, giving some insight into just how far-reaching the problems have become.

A report in 2015 warned that a cyber attack on the US power grid and related infrastructure could cost the country as much as $1tn in economic damage.

ICS-CERT explained that critical infrastructure organisations must do everything in their power to put strong security in place across their operations, given its importance to the nation.

"The protection of the nation's critical infrastructure is essential for ensuring public confidence and safeguarding safety, prosperity and well-being," the report concluded.

"Much of our critical infrastructure depends on automated control systems to manage industrial processes efficiently and securely, so it is essential that organisations conduct security assessments so that they can understand how best to secure this architecture against cyber threats."

David Emm, principal security researcher at security company Kaspersky Lab, told Computing that the findings of the report are worrying. "No one wants to have an assessment come back with flaws in it, just as when you go to the dentist you don't want to hear you need a filing," he said.

However, Emm noted that the rise in attackers looking at ICS environments will invariably mean that the number and types of flaws that can be exploited will increase.

"Since 2009 we've seen more systems being prodded and poked by attackers, so the numbers will start to go up," he said.

Nevertheless, with cyber attackers from Russia and China regularly believed to have accessed the core systems of major US businesses, the fact that so many flaws exist in ICS environments certainly poses concerns that attackers could infiltrate, or have already infiltrated, systems of vital national importance.