Multiple Weaknesses in Industrial Control Systems can Expose Organizations to Serious Risks

• A new study found over 10,000 industrial endpoints that are affected by over 380,000 known vulnerabilities.
• A majority of the vulnerabilities are found impacting software made by Microsoft.

A new analysis of Industrial control systems (ICS) sheds light on how some legitimate and deeply rooted product features and functions can actually pose a threat to organizations. ICS systems are widely used in the networks oil & gas, power generation, refining & chemicals, pulp & paper, and mining industries.

What does the study reveal?

• According to a study conducted by PAS Global, over 10,000 industrial points have been found to be affected by over 380,000 known vulnerabilities.
• The study unfolded that many of the industrial control systems used by these organizations are affected by design flaws and weaknesses that could be used by malicious actors for a wide range of purposes. This includes causing disruption and physical damage.
• A majority of the vulnerabilities were found impacting software made by Microsoft.

What all systems are affected?

The issues were found impacting various types of ICS, including human-machine interfaces (HMI), programmable logic controllers (PLC), and distributed control systems (DCS). The exploitation in most cases only requires network access or basic privileges.

In particular, the study has identified two types of issues: ubiquitous weaknesses, which affect a wide range of products and unique weaknesses, that are specific to a product.

What to do?

Adopting configuration management, especially for the most critical systems and assets, is one way to thwart an attack. Passive network monitoring can also catch anomalous traffic and behavior, which could be an indicator if something goes wrong in an industry. The last and most important requirement is to apply security patches to vulnerable devices.