Why hackers attack ICS products and how to stop them


Why hackers attack ICS products and how to stop them

According to a Claroty report, the number of vulnerabilities identified in Industrial Control System (ICS) products in 2020 increased 25% from 2019 and 33% from 2018. Hackers can use around 70% of these errors to access systems remotely. The global instability caused by the pandemic and the rise in remote working have helped increase the importance of ICS cybersecurity issues. Phishing attacks and spam campaigns in particular are becoming more and more common.

Hack the capital 4.0

On May 4, 2021, ICS Village hosted the Hack the Capital 4.0 Hack the Capitol 2021 online event to educate a wide audience about some of the key cybersecurity challenges we are facing today. Moderator Sharon Brizinov, head of the vulnerability research team at Claroty, gave a detailed explanation of the ICS cyber kill chain, why hackers are trying to access ICS systems and how to stop them. Brizinov and his team identify weaknesses in ICS systems and report them to companies so that they can fix the problems before a hacker exploits them. “We’re trying to mimic the mindset of hackers so we can beat them in their own game,” he said.

Most cyber attacks are opportunistic, Brizinov said. “Attackers receive a huge database full of emails and passwords and then try to use the information in a variety of settings. If even 1% out of a million accounts are successful, it is an easy game for hackers. What is the most dangerous and critical thing about it? These hackers can use the emails and passwords for remote access. “

Why do hackers attack your ICS system?

Brizinov noted that hackers usually try to access ICS systems for political or financial reasons. In general, politically driven hacking attempts are related to cyber warfare between two nation states. “Maybe they want to infiltrate a particular factory to steal secrets or, for example, to implant cybersecurity wars like malware,” he said. Hackers who want to make money could exploit an ICS vulnerability in an automobile factory and demand a ransom in exchange for its removal.

Other specific motives for hacking an ICS system can include influencing a manufacturing process, retrieving sensitive data, reading a secret recipe, or changing a PLC configuration.

How hackers attack your ICS system

First of all, it is important to understand that there are different levels of hackers. Script kiddies, Brizinov explained, only know how to use tools other people have developed, and they are even more likely than the average hacker to act opportunistically. On the other hand, state sponsored hackers carry out sophisticated cyber attacks and operations and are often backed by significant infrastructure. Whatever type of hacker involved, hacking incidents can have frightening consequences.

Last year a hacker tried to poison the Oldsmar, Florida water supply. The first signs of trouble came when a worker at the water treatment plant noticed that the cursor on his computer screen was reading a Wired. seemed to move by itself report. However, the employee was initially unconcerned as the team often used the TeamViewer remote access software for screen sharing. But later in the day he noticed the phenomenon again and saw the distant threat actor attempt to increase the sodium hydroxide in the water. Fortunately, the attempt was unsuccessful.

“Many OT networks are connected through a remote access solution, and a lot of people don’t understand how critical and insecure remote access tools can be,” said Brizinov. “If an attacker gets the username and password, that person can immediately infiltrate the OT network. This is a very dangerous reality for people to consider. “

Brizinov described the ICS cyber kill chain in terms of the following sequence of events: reconnaissance, arming, delivery, exploitation, installation, command and control, and actions / targets (see grafic).

To combat remote hacking, Brizinov recommends vigilance. “Pay close attention to how remote access is used in your factory. Who has the certificates? Is there a two-factor authentication? “

What you can do to stop threat actors

ICS system administrators and operators are not at the helm of these hackers. Brizinov outlined several practical steps anyone can take today to protect an ICS system from cyberattacks.

  1. Apply the correct two-factor authentication: Instead of using a simple, one-step access system that only requires entering a username and password, add two-factor authentication as a second line of defense. Sometimes people use two-factor authentication via SMS or text message, but that’s not the best option. SMS was invented many years ago, so this method is usually less secure. “There have been many attacks in which text messages have been intercepted and forged,” noted Brizinov. Instead, administrators should use authentication apps that generate codes for two-factor authentication. These apps were invented recently and with security in mind. “It is very difficult for hackers to break this security method,” he said.

  2. Do not reuse passwords: Although you might think that the email address you had in college had nothing to do with your current position, and you could reuse the password as it is easy to remember, password reuse actually is very dangerous. “Most of us were registered in one or the other database that leaked at some point,” said Brizinov. “It’s not our fault, but if we reuse these passwords, we risk creating a vulnerability that a hacker who saw these databases could exploit.” Alternatively, users should employ password managers that randomly generate a password.

  3. Use network segmentation: Another strategy is network segmentation. “Even if the hacker somehow got to a specific location on the network, if segmented correctly, the threat actor should not be able to access the other segments,” said Brizinov.

  4. Let an expert check your system for vulnerabilities: Brizinov and his team recently found a critical vulnerability in the remote access solution from secure remote maintenance company Secomea. Since Claroty’s team and not a hacker discovered the weaknesses in the system, Secomea was able to fix the problems instead of dealing with a ransomware attack or something similar.

Finally, Brizinov repeated his most important advice: “Be vigilant. Don’t trust emails and passwords [as the only method of defense.] If you see something, let me know. “

About the author

Melissa is the content editor at Automation.com.

Did you like this great article?

Check out our free e-newsletters for more great articles.

Subscribe to


About Author

Leave A Reply