Forescout: Security threats to exposed critical infrastructure go ignored

April 23, 2024
Many asset owners are likely unaware that OT/ICS systems contain potentially vulnerable devices exposed to the internet.

HANNOVER, Germany -- Internet exposure of Operational Technology (OT) and Industrial Control Systems (ICS) continues to be a critical infrastructure security issue despite decades of raising awareness, new regulations, and periodic government advisories. 

Forescout, a global cybersecurity leader, unveiled Better Safe Than Sorry, a seven-year analysis of internet-exposed OT/ICS data. The study was conducted by Forescout Research – Vedere Labs, a leading global team dedicated to uncovering vulnerabilities in and threats to critical infrastructure.

In the Better Safe Than Sorry report, Forescout researchers examine the realistic opportunities for a mass target attack of internet-exposed OT/ICS devices. These devices are fertile ground for abuse as attackers look no further than using basic rationale driven by current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or readily available hacking guides to create chaos.

Forescout released Better Safe Than Sorry from HANNOVER MESSE, the world’s leading trade fair for industrial technology. Forescout researchers can discuss these findings in Hall 16, Booth: A12 in the IT & OT Circus, April 22-26.

“If these warnings sound familiar, it’s because they are. The looming potential for a mass target scenario is high,” said Elisa Costante, VP of Research at Forescout Research – Vedere Labs. “Forescout calls on vendors, service providers, and regulatory agencies to work collectively to prevent attacks on critical infrastructure that will spare no one.”

Top research highlights in the Better Safe Than Sorry report include:

  1. North America is making strides to close the gap, but there is still work to do around the world. The US and Canada significantly reduced the number of exposed devices during the study period by 47% in the US and 45% in Canada. The other top 10 countries increased the number of exposed devices:
    • Spain: 82%
    • Italy: 58%
    • France: 26%
    • Germany: 13%
    • Russia: 10%

  2. Proactive, targeted notification is urgently required. The Unitronics hacking incidents and a combination of regulatory alerts and media coverage led to a 48% reduction in internet exposed Unitronics PLCs within two months. Notably, the decline in Unitronics device exposure in Israel started in early as 2022, coinciding with the initial reports of attacks on these devices. Conversely, in the United States, the decrease only began towards the end of 2023, following more recent attacks.

  3. Robust risk management strategies are critical. Many internet-exposed OT devices and protocols stem from common system integrator practices, such as delivering pre-packaged units that act as black boxes to asset owners and inadvertently expose multiple systems to the internet. Most asset owners are unaware that these packaged units contain exposed OT devices. This underscores the need for a precise and detailed software and hardware bill of materials as a critical part of a comprehensive risk management approach.

  4. Nearly half of the reported ports remain vulnerable to attack. After incidents targeting Modicon and Wago PLCs, Forescout researchers reexamined these exposed devices one year after reporting some to CISA. Approximately half of the reported PLCs retained the same open ports without any alterations or protective measures. Thirty percent were no longer exposed to the internet, while the remaining 20% remained exposed, but had closed the OT port under scrutiny. Still, some FTP and web interfaces were occasionally left vulnerable.

Good news, there are now less than 1,000 exposed devices running Nucleus and approximately, 5,500 running NicheStack. This is a significant reduction after the exposure was revealed in the original Forescout research in Project Memoria.

"Time and again, we've seen the dire consequences of ignoring critical infrastructure threats,” adds Costante. “It's not a matter of if, but when, these vulnerabilities will be exploited. Let's heed the warnings and take proactive measures to safeguard our infrastructure before it's too late."

Many asset owners are likely unaware that OT/ICS systems contain potentially vulnerable devices exposed to the internet, once again highlighting the need for an accurate and granular software and hardware bill of materials as part of a comprehensive risk management strategy. Download the full report, Better Safe Than Sorry, now at https://forescout.com/resources/better-safe-than-sorry-proactively-identifying-at-risk-internet-exposed-otics/.