Critical Infrastructure and Cyber ​​Security: over 43.000 unprotected SCADA devices that make us vulnerable

When one thinks of Critical Infrastructures, many probably think of offshore oil rigs, dams or power plants. And also, that as they are important for the daily management of energy and essential services, they are among the safest infrastructures, both from a physical and logical point of view. But that's not always the case.

Today many Critical Infrastructure installations are managed by control systems that insist on legacy networks which have long since been separated from IT networks. Now, due to the growing demand for connectivity and the need to work remotely, these legacy networks, which are often more than 25 years old, are lately becoming connected with the rest of the world. It follows that theinfrastructure is now open to a number of new vulnerabilities and can be exposed to accidents and cyber attacks.

The International Security Society A&O IT Group also this year it monitored and analysed, through the Shodan platform, the ICS and SCADA devices connected to the internet and once again found a sseries of unsecured SCADA devices worldwide, including countries like the US, Canada, the UK, France and Germany (and Italy too!). And the number seems to be increasing. For example, searching for January 2020 he had proved that there were 20.000 unprotected devices connected to the internet, while more recent analyzes a December 2020 showed that the number had more than doubled to over 43.000.

One of the theories for this increase (as with many increases in threats this year, as also reported in the Clusit 2020 reports), is that it could be the consequence of the need to make control systems available to be also managed remotely precisely because of the covid-19 pandemic. Of course we know that any malicious attackers are also opportunists, and if there are vulnerabilities to be found, they will find them.

Let's talk about SCADA security

As we have seen, theincrease also affects the number of IoT/SCADA devices connected to the public internet without adequate security measures, i.e. open to potential accidents, attacks and hacking attempts.

Over time we have seen a number of high profile incidents to SCADA systems that have made TV and newspaper headlines – it is just the tip of the iceberg that most industrial devices and protocols are still not adequately secured . Of course, many are working so that all users of protocols such as Modbus and S7 can improve their security posture, but many companies still do not consider it important enough to adequately protect plants in industry and utilities from cyber risk.

Precisely because of the legacy OT networks now increasingly connected to IT networks, the information security of the Critical Infrastructure is now in crisis. An early mistake we see security teams making is assuming they can implement Operational Technology (OT) security simply by “extending” their existing IT security strategy. Unfortunately it is not always so simple and effective.

However, there are a number of security concepts that OT Security teams can adopt to protect themselves from those with malicious intent.

Three tips from OT Cyber ​​Security

1. Visibility. To start protecting an entire infrastructure and avoid falling victim to incidents and attacks through unknown vulnerable devices, organizations need to have a clear view of all the resources connected to the network, especially the OT devices. We do not underestimate the importance of mapping the network and having an updated and real-time list of active resources and also "dormant" ones.
2. Segment and Segregate, separate but connected networks. Having an adequate and secure infrastructure is the first step and will do wonders for the security posture of companies. Organizations should design the network and manage to isolate OT devices from the general corporate IT network, for example by providing a second firewall (or even a "diode") with specific rules for devices connected to the OT network. The idea is to have the networks "separate, but connected together", rather than one big network. And even here the continuous monitoring of the security of the network and the environment with specific tools for visibility and "anomaly detection" is essential.
3. Continuous improvement. For all organizations it will always be necessary to monitor and then update and improve the network. This includes firmware patches applied to firewalls and switches after testing; strong internal controls should also be applied to limit untrusted traffic; and network managers should always follow the rule of least privilege for both devices and users.