Thousands of critical energy and water systems accessible online for everyone


While you probably don’t stop to think about water or energy economy when you sip water or turn on the light, you would definitely notice if your electricity or water stopped working. You may not know why they stopped working in the first place, but with critical infrastructure connected online, it’s not impossible that hackers remotely caused the outage. Actually researchers found Human Machine Interface (HMI) systems in thousands of critical water and energy companies, exposed to the internet just waiting to be exploited; Critical functions like starting or stopping a system can be accessed by anyone, from nation-state attackers to script kiddies.

Based on the 200 percent increase in SCADA-related vulnerabilities disclosed by Trend Micro’s Zero Day Initiative so far this year, there appears to be an increased interest in exploiting critical infrastructure connected to the Internet. Using OSINT, Shodan for scanning, and geostalking to map physical locations to IPs, Trend Micro’s forward-thinking threat researchers began investigating exposed industrial control systems (ICS) in the power and water industries. According to the company’s new report, Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries (pdf):

The HMIs we discovered were accessible via unauthenticated [virtual network computing] VNC server; A potential attacker can interact with these exposed HMIs using a VNC viewer. Shockingly, many of these exposed HMIs have critical functions such as start, stop, reset, alarm, parameter changes, etc. that are easily accessible to everyone. If an attacker accesses these exposed HMIs, they can cause serious system damage or cause outages.

As for the energy sector, all exposed oil and gas HMIs covered in the report, with the exception of one oil rig in the Middle East, were located in the US. Exposed HMIs from solar, wind and hydroelectric power plants were located in Germany, Spain, Sweden and the Czech Republic, Italy, France, Austria and South Korea. Exposed biogas HMIs were discovered in Germany, France, Italy and Greece. A hydroelectric power station in Italy was exposed via its surveillance cameras.

Vulnerable water supply HMIs of water treatment plants and industrial water plants have been discovered around the world. Because they are exposed to the public internet, hackers could potentially launch attacks to compromise drinking water supplies. For example, researchers discovered that the key HMI controls for a seawater-to-drinking water treatment plant were available online, as were the controls for a water heating plant.

Other potential attacks by remote hackers included DDoS, vulnerability exploitation, and lateral movement from the exposed ICS device to the core business network. Unlike the explorers, villains will not stop observing exposed and vulnerable systems. Trend Micro blogged about some of them Real world and supply chain implications.

Potential attackers include nation-state hackers, organized crime syndicates, cyberterrorists, competitors, hacktivists, script kiddies, and random hackers. Additionally, Trend Micro found threat actors on underground forums looking to acquire information about exposed devices and systems, as well as ICS/SCADA credentials. There have also been inquiries about cyberattacks against competitors and vendors looking to profit from data stolen from industry targets.

“Critical infrastructure is a national hotspot for cybersecurity – and for cybercriminals who can locate and exploit the weakest link in these connected systems,” called Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro. “This is worrying as Trend Micro Research continues to find that critical devices and the networks they connect to are unnecessarily exposed. This exposure, combined with the record number of ICS vulnerabilities reported by the Zero Day Initiative this year, underscores a growing risk that extends to every one of our communities.”

The new 70-page report includes defense and security strategies to better protect ICS, supply chain and HMI systems from attack risks.

Copyright © 2018 IDG Communications, Inc.


About Author

Comments are closed.