Positive Technologies: 91% of Industrial Companies Open to Cyber-Attacks
September 2021 by Positive Technologies
Positive Technologies released new research that examines information security risks present in industrial companies, the second-most targeted sector by cybercriminals in 2020. Among key findings, an external attacker can penetrate the corporate network at 91% of industrial organizations, and Positive Technologies penetration testers gained access to the industrial control system (ICS) networks at 75% of these companies.
Attack vectors for accessing critical systems can be simple, and the potential damage severe. Once criminals have obtained access to ICS components, they can shutdown entire productions, cause equipment to fail, trigger chemical spills and even industrial accidents that could cause series harm to industrial employees or even death.
Olga Zinenko, Senior Analyst at Positive Technologies, said: “Today, the level of cybersecurity at most industrial companies is too low for comfort. In most cases, Internet-accessible external network perimeters contain weak protection, device configurations contain flaws, and we find a low level of ICS network security and the use of dictionary passwords and outdated software versions present risks.”
The report notes that, once inside the internal network, attackers can steal user credentials and obtain full control over the infrastructure in 100% of cases, and at 69% of companies, they can steal sensitive data, including information about partners and company employees, email correspondence, and internal documentation. But most importantly, at 75% of industrial companies Positive Technologies specialists managed to gain access to the technological segment of the network, which allowed them to then access actual industrial control systems in 56% of cases. This shows that by gaining access to the ICS network, attackers can also access industrial process automation systems, which could lead to serious consequences: From disruption of work to human casualties.
Industrial companies attract criminals because of their size, the importance of business processes, and their impact on the world and people’s lives. According to the report, the main threats for industrial companies are espionage and financial losses. The main objective of information security specialists today is to assess the feasibility of various security risks in companies and identify possible consequences of cyberattacks, then build an efficient security system based on this knowledge. The problem is that management will never agree to any action taken within the infrastructure that could negatively affect technological processes; and rightly so.
More than any other industry, the protection of the industrial sector requires modeling of critical systems to test their parameters, verify the feasibility of business risks, and detect security vulnerabilities. But assessing the possibility of most unacceptable cyber incidents on real-world infrastructure is nearly impossible. Positive Technologies specialists recommend industrial companies leverage cyber-ranges to help analyze the cybersecurity of production systems, and enable infosecurity specialists to correctly verify the cyber events that are unacceptable to their business, evaluate their implications, and assess possible damage without disrupting real business processes.
For example, at The Standoff 2021, the Positive Technologies-hosted worldwide virtual cyber range that drew over 22,000 attendees, attacker teams were asked to trigger unacceptable events on the infrastructure of a gas distribution station. It took them only two days to disrupt the technological process of gas supply. Attackers managed to gain access to the control system of the gas station, halt the gas supply, and cause an explosion. In real life, a hacker attack on a gas distribution station may lead to human casualties, and result in the resignation of management, or lawsuits. Since information security experts cannot carry out attacks that disrupt or stop technological or business processes on real infrastructure, the feasibility of unacceptable cyber incidents such as this remain in question until these types of tests can be performed.