Industrial control systems increasingly vulnerable to internet access

Industrial control systems increasingly vulnerable to internet access (A_Pobedimskiy via iStock)

The risks to industrial control systems (ICS) components posed by internet accessibility is growing every year, a new report has revealed. 

In its ICS Security: 2017 in Review study, Positive Technologies found the number of systems that can be accessed by advanced computer users via search engines is soaring, with 175,632 ICS components found to be internet accessible in 2017. 

Should such systems be compromised, it could lead to disruption to the workings of factories, transport systems, power plants and other important facilities, the report noted. As such, it means they are a potential weak spot for advanced economies and societies that may be targeted by cyber warfare. 

Among the countries most at risk are the US, Germany, France, China and Canada. 42 per cent of the 175,000 ICS components that could be accessed online were in the US. This tally of 64,287 was up from 50,795. In Germany, the second most at-risk country, the total had risen from 12,542 to 13,242. 

The proportion of internet-accessible ICS components that were network devices also rose, up from 5.06 per cent in 2016 to 12.86 per cent. This includes devices like Lantronix and Moxa interface converters.

To compound the situation, the number of vulnerabilities found in ICS components has also risen, up from 115 in 2016 to 197. Half of these were in the high risk or critical categories. 

Commenting on the findings, head of ICS Security at Positive Technologies Vladimir Nazarov said: “Despite numerous incidents, reports, and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were ten years ago. Today, anyone can go on the internet and find vulnerable building systems, data centers, electrical substations, and manufacturing equipment.

"ICS attacks can mean much more than just blackouts or production delays – lives may be at stake."

He added that this means designer should build security systems into devices before they even begin "writing the first line of code".