Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Internet-Facing ICS Devices an Accessible Target for Adversaries
By Amir Preminger, VP Research | May 27, 2020
Over the past decade, we have seen a proliferation of internet-connected industrial control systems (ICS) devices as part of the broader trend of digital transformation. All too often, however, ICS devices connected to the internet are not protected by sufficiently strong passwords (if any) or any other security controls, making them a low-hanging fruit to low-skill threat actors.
These actors also have multiple legitimate, internet-scanning public services—such as Shodan.io and Cenys.io—at their disposal to help them find web-based human-machine interfaces (HMIs) and similar ICS devices inadvertently exposed to the internet. If a targeted device is password-protected, a threat actor can attempt to brute force their way in. However, in many cases, these ICS devices are not password-protected at all, granting adversaries immediate, unfettered access.
For HMIs and other ICS devices on Level 2 (Process Network) of the Purdue Model, any direct connection to the internet (Level 5) is inherently problematic, as it provides threat actors with a fast track to accessing ICS physical processes at Level 0. A fundamental challenge related to the security of ICS devices is the price and complexity of establishing a secure remote connection to certain devices, especially those located in remote locations where the adherence to the classic Purdue Model is not feasible.
Claroty researchers identified a timely example of how publicly accessible ICS devices can spell trouble for critical infrastructure operators this past Monday, May 25, when a group of Palestinian hackers who call themselves the Jerusalem Electronic Army published a series of social media posts in which they claim to have compromised control systems related to Israel’s water infrastructure.
Image 1: Jerusalem Economic Army claims to have compromised control systems for Israeli water supply.
Group members claim the attack is part of an ongoing second wave of targeted cyber attacks against Israel. These claims appear to be substantiated by multiple screenshots showing access to a web-based HMI for monitoring thermal water processes, including information related to water pressure, temperature, and the location of the monitored device (see image below).
Image 2: Social media post sharing multiple screenshots that appear to show access to a web-based HMI for monitoring thermal water processes. Direct Google translation: “A cyber hack for the second time the Israeli water system and controlling the thermal system !!! #Jointed units # Cyber_unit”
Based on information provided by the Israeli CERT, Claroty researchers surmise the ICS device shown in the published screenshots was not password protected, thus allowing the adversary group to access it simply by finding it.For attention-seeking adversaries with limited capabilities, accessing internet-facing ICS devices it can be an easy, non-technical way to get attention and claim victory without carrying out an actual cyber attack. In this recent case, the group’s access to an ICS device for the Israeli water supply simply allowed them to monitor processes, and thus had no operational impact. That being said, depending on the functionality of the device they can access, it is possible for an adversary to cause significant disruption and harm.
Beyond exemplifying how internet-facing HMIs are an easy target for adversaries, the Jerusalem Electronic Army’s recent interest in Israel’s critical water infrastructure reflects increased interest and buzz around attacks targeting critical infrastructure in general, particularly with respect to nation states. Until very recently, the group’s activities had been limited to weak attempts to deface Israeli government websites. The majority of these devices are not only exposed to the internet, but also to dedicated ICS protocols, such as Modbus, EthernetIP, and others. These protocols have a larger potential impact on ICS processes, and only require a small amount of user education to leverage.
This sudden shift to OT was likely inspired by Iran’s recent attempt at a cyberattack against an Israeli water facility, which sparked headlines and renewed tensions related to potential cyber warfare between the two nation states. While security issues related to internet-connected ICS devices is nothing new, the increased awareness of critical infrastructure as a highly visible and easily sensationalized target has drastically increased the appeal of ICS targets among threat actors keen on generating shock value.
The exposed ICS device related to Israel’s water supply has since been removed from the internet, vast quantities of ICS devices connected to the internet remain unprotected. At a bare minimum, Claroty strongly advises ICS operators to comply with Israel CERT’s recommendations related to threats targeting critical infrastructure. In addition, OT security teams should ensure all internet-connected devices are password-protected, and whenever possible, adhere to ICS security best practices and implement secure access using mechanisms such as VPNs, encryption, and access control lists.
For questions and inquiries related to this blog post, please feel free to contact us.