Original Researchers: Stephen Hilt, Numaan Huq, Vladimir Kropotov,Robert McArdle, Cedric Pernet, and Roel Reyes
New Trend Micro research revealed how exposed human machine interface (HMI) systems in thousands of critical water and energy organizations around the world could be exploited, causing significant real-world impacts, such as contaminating the water supply.
U.S. critical infrastructure dependency flow – Trend Micro
Exposed human machine interfaces
HMIs are a key part of Industrial Control Systems that allow human operators to interact with supervisory control and data acquisition (SCADA) environments. A large majority of the identified exposed systems are from smaller energy and water organizations that feed the major enterprise supply chain, which serves the general public. With access to an exposed HMI system, an attacker is not only able to see all the information about critical systems, but can also interact with and abuse these interfaces.
“Critical infrastructure is a national focal point for cybersecurity – and for cybercriminals, who can pinpoint and exploit the weakest link in these connected systems,” said Mark Nunnikhoven, VP of cloud research for Trend Micro. “That’s troubling, as Trend Micro Research continues to find critical devices, and the networks that they connect to, needlessly exposed. This exposure, combined with the record number of ICS vulnerabilities reported through the Zero Day Initiative this year, highlights a growing risk that extends into each of our communities.”
“The Trend Micro search results are not a representative sample – that they found medium-sized utilities’ HMIs exposed to the Internet at all suggests this is the tip of an iceberg.
Real-world impact to critical infrastructure
Attackers may soon turn their attention to exploiting these exposed systems due to an increase in new vulnerabilities found this year. Trend Micro’s Zero Day Initiative has published nearly 400 SCADA-related vulnerability advisories in 2018 so far – a 200 percent increase compared to the same time last year.
Based on a recent survey by Trend Micro, operational technologies like these have not typically been managed by IT or security teams. The ongoing confusion around who in an organization is responsible for securing connected devices often leaves them more at risk.
Breakdown of origin countries for non-critical and critical attacks from the SCADA honeypot research
To protect HMI systems against the risk of attack, security leaders must ensure the interfaces are properly secured if they must be connected to the internet. Likewise, there should be as much isolation as possible in place between these devices and the corporate network, which maintains operational needs while eliminating the risk of exposure and exploitation.
“If we hadn’t found the command and control malware in our SCADA environment, our toxic gases monitoring systems could have been compromised and may put human lives in danger,” said Ireneo Demanarig, chief information officer, CEITEC S.A. “Security must be at the core of our company.”