A new report by Positive Technologies has revealed that more than nine in ten (91%) industrial organisations are vulnerable to cyber-attacks.
The study found that malicious actors were capable of penetrating the corporate network of 9 out of 10 organisations. Once inside, they were successful in obtaining user credentials and complete control over the infrastructure. In 69% of cases, attackers can steal sensitive data from the organisation, such as information pertaining to partners and employees and internal documents.
Penetration testers from Positive Technologies gained access to the technological segment of the network of 75% of organizations, enabling them to access industrial control systems (ICS) in 56% of cases. Once access to the ICS components is gained, malicious actors are able to cause severe damage and even fatalities, including shutting down entire productions, causing equipment to fail, and triggering industrial accidents.
There is a range of factors that make these organisations vulnerable to attackers, Positive Technologies noted. For example, during recent PT NAD pilot projects, its experts uncovered numerous suspicious events in the internal network of each industrial company. In one case, PT NAD registered an RDP connection to an external cloud storage, enabling 23 GB of data to be transferred to the address of this storage via RDP and HTTPS.
The use of outdated software is another contributing factor, as well as saving connection parameters (username and password) in a remote access authentication form. This allows attackers to connect to the resources of an isolated segment without credentials when they obtain control over such a computer.
The potential impact of an attack on an industrial organization was demonstrated during a virtual cyber-range at The Standoff 2021. In one scenario, within two days, attackers gained control of the gas station, halting the gas supply and causing an explosion.
Olga Zinenko, senior analyst at Positive Technologies, commented:
“Today, the level of cybersecurity at most industrial companies is too low for comfort. In most cases, internet-accessible external network perimeters contain weak protection, device configurations contain flaws, and we find a low level of ICS network security and the use of dictionary passwords and outdated software versions present risks.”