An analysis of industrial control systems (ICS) has shown that many products contain features and functions that have been designed with no security in mind, allowing malicious hackers to abuse them and potentially cause serious damage.
PAS, which provides industrial cybersecurity and operations management solutions, has analyzed data collected over the past year from over 10,000 industrial endpoints housed by organizations in the oil and gas, refining and chemicals, power generation, pulp and paper, and mining sectors.
The company’s researchers discovered that many of the industrial control systems used by these organizations are affected by design flaws and weaknesses that could be leveraged by malicious actors for a wide range of purposes, including to cause disruption and physical damage.
On the 10,000 industrial endpoints it has analyzed, PAS discovered a total of more than 380,000 known vulnerabilities, a majority impacting software made by Microsoft. However, the company found not only typical vulnerabilities that can be patched with a software or firmware update, but also weaknesses introduced by the existence of legitimate features and functionality that can be abused for malicious purposes.
These issues can impact various types of ICS, including human-machine interfaces (HMIs), programmable logic controllers (PLCs) and distributed control systems (DCS), and exploitation in most cases only requires network access or low/basic privileges.
An attacker does need to have an understanding of how the targeted system works in order to exploit these weaknesses. However, if they do know how a feature or function works, abusing it is an easy task, Mark Carrigan, chief operating officer at PAS, told SecurityWeek in an interview.
PAS has identified two types of issues: ubiquitous weaknesses, which affect a wide range of products, and unique weaknesses, which are specific to one product.
..Support the originator by clicking the read the rest link below.
