Trend Micro Incorporated, a global leader in cybersecurity solutions, today published research revealing how exposed human machine interface (HMI) systems in thousands of critical water and energy organizations around the world could be exploited, causing significant real-world impacts, such as contaminating the water supply.
HMIs are a key part of industrial IT systems that allow human operators to interact with supervisory control and data acquisition (SCADA) environments. A large majority of the identified exposed systems are from smaller energy and water organizations that feed the major enterprise supply chain, which serves the general public. With access to an exposed HMI system, an attacker is not only able to see all the information about critical systems, but can also interact with and abuse these interfaces.
“Critical infrastructure is a national focal point for cybersecurity – and for cybercriminals, who can pinpoint and exploit the weakest link in these connected systems,” said Mark Nunnikhoven, vice president of cloud research for Trend Micro. “That’s troubling, as Trend Micro Research continues to find critical devices, and the networks that they connect to, needlessly exposed. This exposure, combined with the record number of ICS vulnerabilities reported through the Zero Day Initiative this year, highlights a growing risk that extends into each of our communities.”
Many of these HMIs are legacy systems that were not initially designed to be connected to a network in this way. Today, connectivity is being added to many legacy operational technology systems, which have long lifespans and are very difficult to patch, exacerbating the risk of attack.
In the report, Trend Micro researchers detail potential attack scenarios that would have substantial real-world impacts to critical infrastructure using information found in the exposed systems. This information includes the type of device, physical location, and other system-level information, which can all be used to inform a potential attack.
Attackers may soon turn their attention to exploiting these exposed systems due to an increase in new vulnerabilities found this year. Trend Micro’s Zero Day Initiative has published nearly 400 SCADA-related vulnerability advisories in 2018 so far – a 200 percent increase compared to the same time last year.
Based on a recent survey by Trend Micro, operational technologies like these have not typically been managed by IT or security teams. The ongoing confusion around who in an organization is responsible for securing connected devices often leaves them more at risk.
To protect HMI systems against the risk of attack, security leaders must ensure the interfaces are properly secured if they must be connected to the internet. Likewise, there should be as much isolation as possible in place between these devices and the corporate network, which maintains operational needs while eliminating the risk of exposure and exploitation.
“If we hadn’t found the command and control malware in our SCADA environment, our toxic gases monitoring systems could have been compromised and may put human lives in danger,” said Ireneo Demanarig, chief information officer, CEITEC S.A. “Security must be at the core of our company. Trend Micro not only provides comprehensive security solutions, but they are a great partner in automating threat intelligence sharing that makes our lives easier.”