Integrated ICS features expose systems to attack risk
Some legitimate and embedded functions in industrial systems operating in the oil and gas, energy, refining, and chemical industries can expose systems to attack.
In most cases, attackers can take advantage of built-in specialized functions by simply changing configurations and settings. According to a specialist from Mark Carrigan of PAS Global, you do not even need to use malware to carry out attacks. Specialists studied about 10 thousand industrial systems in order to identify vulnerable functions.
As it turned out, many of these systems are outdated and have insecure built-in functions to simplify the work of engineers. Updating them is not easy, says Carrigan, and eliminating some of the weaknesses can lead to a malfunction in the system and production process.
Specialists do not indicate the names of the affected suppliers. It is noted that in 10 thousand industrial systems, about 380 thousand known vulnerabilities were discovered, most of which were associated with Microsoft Windows. Among the discovered vulnerabilities are problems associated with the output, the HMI (human-machine interface), the use of embedded credentials for engineers, etc.
Detailed research results will be presented on January 21, 2020 at the S4x20 ICS Information Security Conference in Miami, USA.