APCS Safety Market

2022: Attackers infect APCS with malware using password reset tool

Attackers infect APCS malware using a reset tool. passwords This became known on July 18, 2022. More. here

2021

120 APCS vulnerabilities transferred in 2 years to the FSTEC Data Bank of Russia

On July 22, 2021, Rostelecom-Solar shared the results of two years of cooperation with the Information Security Threats Data BankFSTEC of Russia. Rostelecom-Solar experts Ilya Karpov, Evgeny Druzhinin and Konstantin Kondratyev transmitted information to the regulator about 120 discovered software vulnerabilities, 115 of which are related to the APCS components of foreign and domestic vendors.

The average value of the "importance" indicator for vulnerabilities found by "Rostelecom-Solar" specialists is 8.88 out of 10. It is defined according to the subject of the study, that is, the type of software. The high score for this indicator is due to the fact that a significant part of the discovered vulnerabilities belong to the built-in ON components of industrial systems. The average value of the criticality of vulnerabilities identified by Rostelecom-Solar specialists, which is calculated in accordance with the international vulnerability assessment system CVSS 3.0, is 7.67 points.

{{quote "Among the vulnerabilities that our researchers most often identify are problems related to access control," says Jan Sukhikh, head cyber security ASU of the TP department at Rostelecom-Solar. - In some cases, these are vulnerabilities that allow you to increase user privileges, and sometimes completely bypass the mechanisms authentications and. authorizations In addition, we see implementation problems: cryptography unreliable crypto algorithms allow an attacker to gain control over the traffic of a device. If we are talking about equipment that is used in vital industries, such as the fuel power complex, such vulnerabilities can lead to serious accidents. Therefore, it is very important for us to help increase the security of the Russian industrial enterprises. }}

The cybersecurity laboratory of the APCS of the company "Rostelecom-Solar" cooperates with foreign and domestic vendors of industrial equipment in terms of identifying and eliminating vulnerabilities in their solutions. In 2020, Rostelecom-Solar experts helped eliminate critical vulnerabilities in industrial equipment of such large international vendors as Schneider Electric and MOXA. After receiving information from researchers, manufacturers of industrial system elements released security updates for their products.

The National Cyber ​ ​ Police also makes a great contribution to the process of identifying and eliminating vulnerabilities. As part of the cyberpoligon, Rostelecom-Solar experts also check for security software and components of industrial systems.

Information about vulnerabilities falls into the Bank of Threat Data of the FSTEC of Russia after it is confirmed by the vendor. After that, it can be transmitted to other bases, for example, MITRE.

FSTEC screened out information security companies at a competition to create an APCS vulnerability resource. The work will do it ›

In March 2021, FSTEC of Russia chose a contractor to develop a domestic resource with vulnerabilities in the APCS level and the industrial Internet of Things of critical, potentially dangerous and dangerous production facilities. Using this resource, it will be possible to inform the owners of the above objects about vulnerabilities.

The winner was the organization subordinate to the FSTEC - the State Research Test Institute for Information Technical Protection Problems (GNII PTZI FSTEC of Russia). According to the aggregate assessment of different factors, she scored the maximum total score out of all applications submitted. The maximum purchase price announced in February was 300 million rubles^[1]. GNII PTZI will perform work for an amount slightly lower - 33.5 thousand rubles less than the maximum.

In addition to GNII PTZI, seven more organizations were allowed to participate in the tender: Positive Technologies, Rostelecom, Rubin Research Institute, Ural Center for Security Systems, High Technologies and Strategic Systems, Telecom Integration and Neobit. And five reached the finish line: the Rubin Research Institute, High Technologies and Strategic Systems and Neobit retired. The lowest contract price - 215 million rubles - of the remaining participants was offered by Rostelecom.

With the help of the resource that FSTEC will create, it will be possible to inform the owners of the above objects about the vulnerabilities of the APCS "(photo - nordwesttool.ru)"

The terms of reference for the tender indicate that the goals of creating the resource are to reduce the social and economic consequences of computer attacks on critical information infrastructure by timely identifying APCS vulnerabilities, improving the information protection systems of APCS and the industrial Internet of Things of critical, potentially dangerous and dangerous production facilities.

Another goal is to improve the qualifications of specialists involved in monitoring the level of security of the APCS and the industrial Internet of Things of these facilities.

The start of work on the project is scheduled for April 2021, and its completion - for December 2023, according to the terms of reference.

I must say that since 2015, the FSTEC Information Security Threats Data Bank has been operating, which collects information, including about I&C threats. It is focused primarily on information systems in the public sector and defense industry. As of February 23, this bank contains information about more than 31.2 thousand vulnerabilities and 222 threats.

It follows from the tender documentation for the creation of a new resource that this is work within the framework of the federal project "Information Security" of the national program "Digital Economy." Natalya Kasperskaya, President of InfoWatch, Head of the Information Security Working Group within the framework of the Digital Economy National Program, previously expressed concern about the lack of necessary information about vulnerabilities in APCS and in Internet of Things technologies, which are widely used not only by defense industry organizations, but also in other industries.

And in December 2020, Kasperskaya cited data that in the first half of the year 365 vulnerabilities in the field of APCS were identified worldwide - 10% more than in the same period in 2019. A significant part of these vulnerabilities are remotely managed. Vulnerabilities mean features: ON these can be errors or specially laid down by the developer "bookmarks"^[2]

According to TAdviser, it was the working group headed by Natalya Kasperskaya that formulated the task of creating a separate resource on the threats of APCS. And, given that FSTEC already has experience in organizing a bank of threat data, and that this is its profile area of ​ ​ activity, the department has taken over the organization of work to create a resource. It will be intended for a wide range of users.

But the resource itself in this case is the tip of the iceberg, this is only what the end user sees. In order for it to be formed and replenished on a daily basis, it is necessary to hardware and software complexes for searching for information about vulnerabilities in various sources, the formation of a team of specialists who are constantly involved in this issue. Also needed are stands where the vulnerabilities found will be tested and tested.

As for informing the owners of critical, potentially dangerous and dangerous production facilities about the vulnerabilities found in APCS and the industrial Internet of Things, then, in particular, the existing FSTEC threat bank has a subscription function for relevant mailings and news. In addition, all domestic security analysis controls are focused on this source of vulnerabilities and allow you to automatically declare a vulnerability in a specific system and automatically notify the system owner.

In addition to the resource with vulnerabilities in the APCS level and the industrial Internet of Things, FSTEC in February 2021 announced another major tender - for those establishment of a safety research center OS created on the basis of the kernel. Linux As in the case of the vulnerability resource, the initial price of this purchase is also exactly 300 million rubles.

2020

Experts have discovered more than 43 thousand unprotected SCADA systems around the world

The number of IoT devices and SCADA systems connected to the Network without appropriate security measures continues to increase, leaving critical devices vulnerable to potential attacks and hacking attempts. A&O IT Group researchers reported that despite a number of high-profile attacks on SCADA systems, most devices and protocols do not have reliable protection ^[3]].

The increase in the number of unprotected devices, experts believe, may be a consequence of providing access to systems to remote employees due to the coronavirus pandemic (COVID-19). Shodan searches revealed 43,546 unprotected devices: Tridium (15,706), BACnet (12,648), Ethernet IP (7,237), Modbus (5,958), S7 (1,480) and DNP (517).

As experts have identified, the most vulnerable devices are USA in - 25,523. Of the six groups analyzed, the least detected S7 devices in the United States, however, many of them are Conpot honeypots, indicating a higher level of vigilance of local information security experts. Other countries topping the list for unsecured devices include, Canada as well as,, and Spain. Germany France Great Britain

"Critical infrastructure runs on legacy networks that were previously isolated from the IT network. There is a growing demand for connectivity and the possibility of remote work, as a result of which outdated networks are connected, which are often more than 25 years old. As a result, the infrastructure that manages global operations is vulnerable and contains a number of cybersecurity problems, "the researchers explained.

More than 70% of vulnerabilities in APCS can be exploited remotely

More than 70% of the vulnerabilities in APCS discovered in the first half of 2020 can be used remotely. A research team from Claroty presented a report that includes^[4] assessment of 365 vulnerabilities in APCS published in the National Vulnerability Database (NVD), and 139 messages issued by the Industrial Control Systems Cyber Threat Emergency Response Team (ICS-CERT), which affected 53 APCS suppliers^[5].

Compared to the first half of 2019, the number of vulnerabilities in APCS increased by 10.3%, while the number of ICS-CERT messages increased by 32.4%. More than 75% of vulnerabilities were rated as dangerous (53.15%) or critical (22.47%) on the CVSS scale.

As experts noted, more than 70% of the vulnerabilities published by NVD can be exploited remotely. In addition, the most common potential impact was remote code execution, possible by exploiting 49% of vulnerabilities, followed by reading application data (41%), calling a denial of service (39%), and bypassing security mechanisms (37%).

The energy sector, critical production and water supply infrastructure were most affected by vulnerabilities discovered in the first half of 2020. Of the 385 unique vulnerabilities recorded in the Common Vulnerabilities and Exposures database, 236 problems were found in the energy sector, 197 in critical production facilities, and 171 in water supply systems.

Many APCS access points in the United States are vulnerable to hacking

Despite growing investment in critical infrastructure security, many APCS panels used by public and private enterprises in the United States are not protected and can easily be hacked by cybercriminals. According to the research team of the CyberNews resource, automated process control systems are in the public domain, and any attacker can easily access them^[6].

By scanning blocks of IP addresses in the United States for open ports, experts found a number of unprotected and accessible APCS. Many APCS access points in the US, especially in the water and energy sectors, are vulnerable to attack. With search engines designed to scan open ports, hackers can remotely monitor critical U.S. private and public infrastructure. Anyone can access these systems without any passwords.

The experts were able to access the open APCS of the onshore oil well with the ability to control several oil tanks and damage the US power supply by suppressing alarms, opening and closing relief valves, changing configurations, etc.

Unprotected offshore oil well control systems could also provide access to five facilities. This is incredibly dangerous as offshore oil rigs are particularly vulnerable to attack due to "transitioning to unmanned robotic platforms where vital operations are controlled through wireless connections to onshore facilities."

The researchers also found an unprotected public water system that allowed the water supply to be cut off to more than 600 people.

Access to several water treatment plants could be obtained by anyone, which made it possible to intervene in the treatment processes and potentially make drinking water unsafe for consumption for more than 7 thousand people.

In another case, a vulnerable control panel allowed experts to intercept the manual control of a sewage pumping station in a city with a population of more than 18 thousand inhabitants and potentially damage the sewage system of the entire city by adjusting the flow rates of wastewater or completely shutting down the system.

Experts reported their findings to CISA, CERT, as well as public and private owners, and access to these systems was disabled^[7].

APCS Safety Market to Reach $12 Billion by 2026

Automated Process Control Systems Safety Solutions Market Size by 2026 (APCS) will increase from the current more than $2 billion to $12 billion, experts from the Global Market Insights^[8][9].

The proliferation of connected devices and the increase in the number of cyber attacks accelerates the global growth of the APCS security solutions market. Safety solutions for APCS mainly include software and hardware components that are used to automate and manage industrial procedures such as distribution management systems and dispatch control.

As a rule, in the event of a cyber attack, the company suffers significant financial losses. Over the years, cases of cyber attacks on critical production infrastructures have increased. Safety solutions for APCS help to reduce such risks and ensure the security of data and information displayed on screens and dashboards.

The growing need to protect end-to-end network devices such as smartphones, laptops and PCs from cyber threats is significantly increasing the growth of the APCS security segment. Endpoint security is beneficial because it offers an encrypted framework to protect your network infrastructure from data breaches and other attacks that can cause network outages.

According to experts' forecasts, in the market of solutions for ensuring the safety of APCS North America , the share of the industry will be more than 30%, which is due to increased financing and cyber attacks in the oil and gas sector, USA contributing to an increase in demand for solutions in the field of APCS safety.

In the Identity and Access Management (IAM) segment in the UK, experts predict a 30% growth in the market for APCS security solutions, including through the dissemination of the Bring Your Own Devices (BYOD) concept, in which employees are allowed to use personal devices to access corporate systems.

The network security segment is expected to occupy 20% of the market by 2026 in the United States due to the growing demand for integrity and usability protections for data and networks connecting various industrial applications. In China, by 2026, the managed services segment in the APCS security solutions market is projected to be 20%, and the critical industrial systems segment in Mexico will increase by 26% due to the rapid adoption of smart solutions, sensor technologies, IoT strategies and analytics in manufacturing companies to improve business efficiency.

2019: Rostelecom named the main cyber risks for industry

On November 19, 2019, Rostelecom Solar published the results of a study in which it named the main cyber risks for industry.

Experts analyzed devices and software that are used in the industrial Internet of Things, automated production control systems, robotic systems, etc. Most of the analyzed software and equipment is used in the electric power sector, as well as in the oil and gas and chemical industries.

"Rostelecom-Solar" published the results of a study in which it named the main cyber risks for industry

According to RBC with reference to this report, 72% of vulnerabilities found in the software of industrial enterprises can give an attacker control over technological processes and paralyze the work of companies. This can lead to harm to the life and health of people, a halt in production or a decrease in the quality of products, as well as a loss of trade secrets.

According to experts, the most common breach (28% of cases) was identified in user authentication and authorization systems - they made it possible to completely bypass the identification requirements and get into the industrial system for almost any user.

Another 22% of vulnerabilities are due to the fact that the credentials were stored in clear text: this leads to the fact that an attacker can get information about the device and its configuration and find weaknesses in the protection of equipment.

In addition, Rostelecom-Solar experts pointed out vulnerabilities that allow malicious code to be injected into a web page opened by a system user (XSS injections). In the event of a successful attack, depending on the type of injection, the attacker can gain various advantages - from access to confidential information to complete control over the system.^[10]

2018

Kaspersky Lab study

Researchers from Kaspersky Lab published a report on cybersecurity of industrial automation systems in 2018 in the summer of 2018, during which 320 managers at enterprises with the right to make decisions on APCS security issues from around the world were interviewed. ^[11]

As follows from the report, more than three quarters of the surveyed heads of industrial enterprises believe that the safety of APCS is a serious problem, and cyber attacks are a very likely event. At the same time, only 23% of companies at least to a minimum comply with state or industry standards and recommendations related to cybersecurity of APCS.

According to experts, 35% of Russian companies are not afraid to become a victim of cyber attacks, but 13% of firms note a high risk of a hacker attack. Companies from the Middle East are much more alarmed: 63% of them believe that with a high degree of probability they can become victims of cyber attacks.

In addition, the researchers announced a critical shortage of specialists in the field of protecting APCS from cyber threats.

"58% of the companies surveyed consider hiring experienced cybersecurity specialists of industrial systems to be one of the primary problems. This problem is international in nature, "experts noted

The absence of cyber incidents over the past 12 months has been announced by 51% of respondents. Compared to 2017, the number of such organizations increased slightly, last year it was 46%.

"On this basis, it can be assumed that the measures taken to ensure the cybersecurity of the APCS over the past year have yielded significant results," the experts emphasized.

2017

Dragos study

Dragos security researchers published at the end of 2017 a report on vulnerabilities in automated process control systems (APCS^[12]. According to the report, in 2017, 163 recommendations were published describing various vulnerabilities affecting ACS. 63% of these vulnerabilities allowed attackers to cause failures in the target system. At the same time, only 15% of problems can be exploited to gain direct access to the network^[13].

According to the researchers, one of the main problems is the difficulties that organizations face when fixing vulnerabilities in APCS. Certain features of these systems often lead to delays in installing fixes - sometimes indefinitely. According to the researchers, organizations need to work more intensively to develop better test systems on which patches can be reliably tested.

will benefit from this by being able to test new settings, thereby reducing maintenance time. The testing system can really increase profits in many ways, this is not just waste, "experts said

However, organizations also need more effective support from vendors and the security research community. Public vulnerability reports provide insufficient information about alternative ways to mitigate risk, in addition to applying patches or isolating systems, experts say. At the same time, in 12% of cases, the reports did not contain information on fixing the problem at all.

In addition, ACS users should bear in mind that even installed fixes do not completely eliminate the risks. According to reports, in 2017, 64% of vulnerabilities affecting ACS were found in components that were initially unsafe.

5 cybercriminal groups

According to the report, there are at least 5 cybercriminal groups that show increased interest in APCS, or carried out direct attacks on systems of this type.

In particular, the researchers identified the Electrum group, which used the Crashoverride and Industriroyer malware to attack Ukrenergo's computer networks in December 2016. According to experts, Electrum may be associated with the hacker group Black Energy (also known as TeleBots and Sandworm Team), suspected of involvement in the NotPetya ransomware attacks and attacks on Ukraine's energy systems in 2015. Electrum has expanded its list of targets and could soon launch a new cyber attack, according to the report.

The second group of interest to the researchers is known as Covellite. This group, allegedly associated with the North Korean government, became known after a large-scale phishing campaign aimed at US energy enterprises. There are suspicions that Covellite is also responsible for a series of cyber attacks on organizations in Europe, North America and East Asia. It is not known whether the group's arsenal contains malware developed specifically for APCS.

Experts also drew attention to the hacker group Dymalloy, which attacked APCS in Turkey, Europe and North America. Hackers have shown practically no activity since the beginning of 2017 due to the increased attention of the media and information security experts to their activities.

Another grouping that poses a danger to the ACS is known as Chrysene. Its operations mainly focus on companies and organizations in North America, Europe, Israel and Iraq. According to the researchers, the malware used by Chrysene is quite complex, but it is intended not so much for attacks on ACS as for espionage.

The latter group, noted by Dragos, is called Magnallium (APT33) and is allegedly associated with the Iranian government. The main goals of hackers are enterprises of the aerospace industry, the energy sector and military facilities.

Positive Technologies study

Historically, approaches to ensuring information security of industrial facilities have their own characteristics. Known vulnerabilities in IT systems are often not fixed due to unwillingness to make changes and thereby disrupt the technological process. Instead, the company's main efforts are directed to reducing the likelihood of their operation, for example, by separating and isolating internal technological networks from corporate systems connected to the Internet. As the practice of penetration testing shows, such isolation is not always implemented effectively, and the offender still has the opportunity to attack.

So, according to the collected statistics, attackers can overcome the perimeter and get into the corporate network of 73% of companies in the industrial segment. 82% of companies can penetrate from the corporate network into the technological network in which the APCS components operate.

One of the main opportunities for the attacker to gain access to the corporate network turned out to be administrative control channels. Often, industrial administrators create remote connectivity for themselves - this allows them, for example, not to stay at the site all the time, but to work from the office.

In each industrial organization in which Positive Technologies researchers managed to gain access to the technological network from the corporate one, certain shortcomings of network segmentation or traffic filtering were identified - in 64% of cases they were introduced by administrators when creating remote control channels.

The most common vulnerabilities in corporate networks were dictionary passwords and outdated software - these errors were found in all companies under investigation. It is these shortcomings that allow you to develop the attack vector to obtain maximum privileges in the domain and control the entire corporate infrastructure. It is important to note that often files with passwords to systems are stored directly on employee workstations.

The number of available APCS components in the global network is growing every year: if in 2016 the IP addresses of 591 subsystems were discovered in Russia, then in 2017 already 892. Such results^[14] study of] Positive Technologies, which analyzed the threats associated with the availability and vulnerabilities of APCS over the past year.

The largest number of APCS components present on the Internet was found in countries in which automation systems are best developed - the USA, Germany, China, France, Canada. Over the year, the US share has increased by almost 10% and is now approximately 42% of the total (175,632). Russia has risen three places and ranks 28th.

Positive Technologies experts pay attention to an increase in the share of network devices (from 5.06% to 12.86%), such as interface converters and. Lantronix Moxa (Moksa Russia) The availability of such devices, despite their auxiliary role, poses a great danger to the technological process. For example, during the cyber attacks "" Prykarpatyeoblenergo attackers remotely disabled Moxa converters, as a result of which they were lost communication with field devices at electrical substations.

Among software products in the global network, Niagara Framework components are most often found. Such systems control air conditioning, power supply, telecommunications, alarm, lighting, video surveillance cameras and other key engineering elements, contain many vulnerabilities and have already been hacked.

The second important observation of the researchers concerns the growing number of threats in the APCS components. The number of published vulnerabilities for the year increased by 197, while a year earlier it became known about 115. More than half of the new safety deficiencies have a critical and high degree of risk. In addition, a significant share of vulnerabilities in 2017 fell on industrial network equipment (switches, interface converters, gateways, etc.), which is increasingly common in the public domain. At the same time, most of the safety deficiencies detected in the APCS during the year can be operated remotely without the need for privileged access.

Compared to 2016, the leaders have changed. The first position instead of Siemens is now taken by Schneider Electric. In 2017, almost ten times more vulnerabilities (47) related to the components of this vendor were published than a year earlier (5). You should also pay attention to the number of new security flaws in Moxa industrial network equipment - they were published twice as many (36) as in 2017 (18).

2016: Positive Technologies Research

On July 15, 2016, Positive Technologies presented the results of a study of vulnerabilities and the prevalence of components of automated process control systems (APCS).

Using information from publicly available sources (vulnerability knowledge bases, manufacturer notifications, exploit collections, scientific conference reports, publications on specialized sites and blogs), experts at the end of 2015 found a total of 212 vulnerabilities in APCS components, and their total number over five years reached 743. Almost half of these vulnerabilities have a high degree of risk.

The largest number of vulnerabilities were found in products from well-known manufacturers such as Siemens (147), Schneider Electric (85), Advantech (59), General Electric (27) and Rockwell Automation (26).

The most vulnerable and at the same time common components of APCS are SCADA systems, which in 2015 accounted for 271 vulnerabilities. In addition, not few gaps have been found in HMI components, industrial network devices and engineering software.

In 2015, only 14% of vulnerabilities were eliminated within three months. In 34% of cases, elimination took more than this time period. More than half (52%) of the errors either remained, or manufacturers did not report the timing of their elimination.

The largest number of components available on the Internet was found in countries in which automation systems are best developed. These USA are (38.85% of the total available components), (Germany 12.28%), (France 5.43%), (Italy 5.15%) and Canada (4.93%).

In terms of the prevalence of APCS components, companies, Honeywell SMA, Solar Technology Beck IPC, Siemens and are leading. Bosch Building Technologies (Ранее Bosch Security Systems)

According to the results of the study, Positive Technologies came to the conclusion that there is no adequate protection of the APCS components. Even minimal preventive security measures, such as the use of complex passwords and the disconnection of APCS components, Internet will significantly reduce the likelihood of attacks with noticeable consequences, experts say.

2013: Informzaschita Study

An audit of automated process control systems of industrial enterprises, conducted in the fall of 2013 by Informzaschita specialists, testifies to "depressing" statistics in the field of fulfilling information security requirements. ^[15].

During the survey, the 25 most significant safety criteria were used, the compliance with which, according to Informzaschita, should protect the APCS of industrial companies. These requirements are formed on the basis of experience in the implementation of projects in a dozen large enterprises of the fuel and energy complex.

The summary of the obtained results showed that in the APCS of the majority of the surveyed enterprises there are no procedures for managing safety incidents and their analysis, as well as no measures have been developed to prevent the re-occurrence of dangerous events.

There are also no external intrusion detection and prevention systems and network anomalies detection means, which should be used when the APCS network is connected to the communication infrastructure of the entire enterprise. Along with this, an audit of the state of information security and an analysis of the security of APCS complexes are not carried out.

Informing staff about problems that may be caused by non-compliance with information security rules, and training in this area is carried out only in a quarter of organizations. And such training becomes vital in conditions when social engineering methods based on the peculiarities of human psychology are increasingly used to illegally enter the system. These methods are used to access confidential information, including data that allow unauthorized actions in APCS. A typical example is asking for a password allegedly on behalf of a system administrator.

Wireless access to automation complexes and their supporting information systems, which can be used by their own personnel and contractors, requires special attention, as it is fraught with an abundance of vulnerabilities. The lack of developed protection measures and the lack of awareness of all these employees can lead to very serious consequences.

Among the reasons for the technological and organizational lag in the field of information security of APCS from corporate information systems, one can single out the specifics of industrial automation projects. When they were implemented for a long time, the tasks of improving speed, performance, cost optimization were mainly solved, while protection against potential threats was not given due attention. In addition, corporate information systems and APCS complexes are traditionally developed and operated by separate divisions of enterprises.

In large domestic organizations of the industrial sector, in particular in the oil and gas industry, the unification of IT services and divisions of APCS begins. The company representatives also believe that the results of the audit of the APCS protection status should show the heads of business units what threat to the continuity of their business processes is non-compliance with security policies. In addition, the business shows a very noticeable interest in preventing theft and in implementing solutions that prevent distortion of credentials entering enterprise management systems. It is characteristic that out of more than three dozen specialists of the fuel and energy complex enterprises who took part in the seminar, about a quarter represented the APCS services.

Notes