The harnessing of energy and water and their distribution to households, facilities, and entire cities is the incredible responsibility of critical sectors. Nowadays, infrastructures built to handle these processes operate with such efficiency that energy and water can run in the background of the daily bustle of human activity. This feat is achieved through the continuing development of technology surrounding such resources — development that now involves being “smart.”
The “smart” upgrade could come at a cost, however. Using Shodan and other tools, Trend Micro researchers looked into the possible weaknesses of exposed industrial control systems (ICS) across the energy and water industries. The results give a glimpse of security gaps found in ICS and human machine interfaces (HMIs) of small and medium businesses in the two sectors that could lead to bigger problems due to the interdependent nature of critical infrastructure sectors and, more importantly, the natural dependence of people on these infrastructures.
To learn more on exposed HMIs and security recommendations for ICS, read our complete Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries report.
Real-world threat scenarios for the water sector
One of the greatest concerns for organizations in this sector is the possible effect of direct cyberattacks on their operations, thereby leading to a disruption of supply to and from the plant. This is especially true for water facilities that either purify water for distribution or use water in their operations. Here are theorized scenarios, taken from our research findings:
Water treatment plants
The main HMI controls for a certain seawater-to-drinking water treatment plant were found exposed through our publicly available methods. An attacker could discover the exposure and launch an attack that could affect the supply of drinking water in the area.
Industrial water facilities
The HMI controls for a water heating facility used for various industrial processes were exposed to the public internet. An attacker could gain access and use such controls to cause serious industrial accidents in a similar facility by manipulating temperatures.
Real-world threat scenarios for the energy sector
Since energy is one of the more central sectors of critical infrastructure, disruption in this sector can have cascading effects to other industries that depend on the continuous flow of energy to function. Here are some theorized scenarios using the results of our research on exposed HMIs.
Oil and gas structures
We found gas wells whose controllers were exposed. An interested attacker could shut down or reset wells, possibly affecting the state or national energy supply, which even small or medium organizations have a hand in providing.
Solar energy devices
Exposed HMIs in this industry included home solar panels as well as solar farms. An attacker hijacking the controls could affect the capability of individual homes to generate their own supply of energy, or affect the total available power on the larger national level since the excess energy from home solar panels is sold to the national grid.
We found different kinds of power plants exposed online, from biogas to hydro plants. An attack in such facilities could mean affecting the energy supply for homes and organizations alike.
We found a hydroelectric plant exposed in a different way: through its security cameras. An exposed camera could reveal possibly sensitive information that cybercriminals can use for other attacks.
Security implications of exposed HMIs
All the exposed and vulnerable HMIs we found were from small and medium businesses. However, larger organizations are not immune to the same threats faced by smaller organizations. The interconnected nature of the supply chain especially in critical sectors like energy and water makes threats and risks at any level of great importance. These exposed HMIs have a potential impact at a much larger scale than what the exposed organizations cater to and could also affect the operations of larger organizations in the same sector. Unlike with researchers, the possible negative implications will not restrict cybercriminals from doing more than just observe these vulnerable systems. Cybercriminals might even aim to cascade damage to larger organizations.
Learning from these exposed systems and devices can help in developing stronger countermeasures against possible attacks to ensure a safer integration of the internet of things (IoT) and ICS in the processes of energy and water sectors. After all, while technological advancement does help greatly in harnessing natural resources in safe and sustainable ways, it does not minimize our dependence on such resources and the importance of security in our continued use of them.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.