Industrial control systems (ICSs) for more than 100,000 pieces of equipment are accessible from the public internet, new research claims. The systems belong to some of the world’s biggest organisations and include controls for critical national infrastructure, the report says.
The systems are used to manage technology in industrial settings and cover vital processes in power grids and water systems. The new research from security company Bitsight says that many of these systems are not adequately secured and can be accessed via a conventional web browser.
“Thousands of organisations are using ICSs directly reachable from the public internet, presenting a series of potential consequences of which private and public sector leaders should be aware,” the report says.
The vulnerabilities stem from a common problem with operational technology (OT) – the difficulty in patching such systems. “Many industrial systems – whether critical infrastructure or not – use old, hard-to-patch software but still play critical roles in societies and organisations, so patching downtime is costly or inflicts inconvenience or suffering on the population,” the Bitsight research says.
Shutting down a power grid or other pieces of critical infrastructure to fix such issues has far-reaching consequences, “typically greater in magnitude than those experienced from shutting down an IT environment”. OT systems are “therefore more complicated to secure and present unorthodox bottlenecks unlike those experienced on the IT front”, the report adds.
Bitsight found ICS problems in systems based in 96 different countries, with the four most badly affected areas being the US, Canada, Italy and the UK.
Regulation introduced to secure industrial control systems
Derek Vadala, chief risk officer at Bitsight, said: “While the number of exposed ICSs is trending downwards, the overall threat level remains too high.
“An attack on just one ICS device would be a potentially catastrophic event that could have far-reaching consequences.”
He added that “industrial control systems play a critical role in helping organisations avoid societal disruptions and the exposure of these devices is a serious matter.”
Critical infrastructure is a popular target for nation-state-backed hackers, and in May the UK, US and the other members of the Five Eyes security alliance warned of the threat posed by a Chinese hacking gang, Volt Typhoon, which is specifically targeting infrastructure.
Governments are trying to tackle this problem with legislation, and last year the UK government introduced new cybersecurity rules to protect national infrastructure by providing regulators with increased powers. It has also set cyber resilience targets for critical infrastructure providers with a 2025 compliance deadline.
In the meantime, Bitsight urges private companies to identify any industrial control systems deployed by their organisation and partners in their supply chain, and promptly assess the security of these systems. They should remove any exposed industrial control systems from the public internet and use safeguards like firewalls to protect against unauthorised access to their network. For public sector companies, Bitsight says organisations should use secure-by-design principles to develop safer technology.