This is how hackers can take down our critical energy systems through the Internet

Human Interface Systems lacking any kind of security have the potential to cause serious damage to critical services worldwide.

We rely on a plethora of industrial services including clean and sewage water facilities and energy services in our daily lives.

It is easy to forget these organizations as they work in the background, but to a threat actor which wishes to disrupt the infrastructure cities now deem critical, these industrial players can be of serious interest.

In 2016, Ukraine's power grid dropped without warning, leaving the city of Kiev without access to energy services for an hour. It is likely that those 60 minutes represented an eternity for power grid employees who had to find out what had caused the failure -- and this turned out to be Industroyer, a form of malware specifically crafted to target industrial systems.

This incident highlighted just how much disruption and chaos a determined hacker and a few lines of code can cause -- and as cyberwarfare ramps up worldwide, the threat to our core infrastructure is of real concern.

On Tuesday, researchers from Trend Micro published a report on the ways that Human Interface Systems (HMI), which are found in thousands of utilities worldwide, can be exploited.

HMIs are necessary for human operators to be able to interact with supervisory control and data acquisition (SCADA) systems. If an HMI can be successfully compromised, this can potentially lead to the exposure of SCADA systems -- which, in turn, can give attackers access to the heart of industrial operations.

CNET: ACLU demands DHS disclose its use of facial-recognition tech

Industrial organizations face a variety of challenges when it comes to securing these critical systems. Many industrial facilities use are legacy systems, which may or may not be able to integrate with modern security solutions or receive over-the-air (OTA) updates due to limited functionality or memory.

Trend Micro's Zero Day Initiative (ZDI) has published almost 400 SCADA-related vulnerability advisories in 2018, an increase of 200 percent year-over-year.

According to the cybersecurity firm's research, there is a vast array of water and energy-based assets that are publicly exposed on the Internet today, including remote desktop protocol software, equipment, and virtual networking systems.

See also: This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai

One of the easiest methods employed to find these resources is to use Internet scanning, such as through the Shodan search engine. Another way to find these systems is through mapping physical locations to IP addresses in a process known as "geostalking."

It did not take long for the researchers to uncover a range of exposed HMIs, including water systems in Sweden, geothermal systems in Spain, water filtration equipment in Colombia, and sterilization plants in Australia.

None of the techniques used by the team required direct interaction with a device.

screen-shot-2018-10-29-at-14-35-12.png
screen-shot-2018-10-29-at-14-34-37.png
screen-shot-2018-10-29-at-14-35-37.png

When it came to oil and gas, a drilling rig in the Middle East, as well as oil wells, control systems, and valve pressure monitors in the US were exposed.

screen-shot-2018-10-29-at-14-37-45.png
screen-shot-2018-10-29-at-14-38-08.png
screen-shot-2018-10-29-at-14-39-11.png

Biogas HMIs in Germany, France, Italy, and Greece, and power-related HMIs in Germany, Spain, Sweden, the Czech Republic, Italy, France, Austria, and South Korea -- including solar, wind, and hydroelectric plants -- were also uncovered.

Trend Micro says that most often, these HMIs are accessible through VNC desktop sharing servers and often lack any form of authentication or protection from intrusion.

Attacks on industrial systems are more likely to be politically motivated than relating to financial gain due to a poor return on investment, especially in comparison to targeting a traditional bank, for example.

TechRepublic: Hackers selling exploits to law enforcement agencies have poor security practices

The researchers believe that attackers can be generally split into two groups -- state-sponsored hackers tasked with the job, and curious attackers who may stumble on exposed systems through the Internet.

No matter the reason why, a successful attack on core infrastructure can not only disrupt the daily lives of citizens but also has the potential to cause serious economic harm.

"While critical infrastructure (CI) cybersecurity awareness is steadily growing and significant steps have been taken to secure CI, its protection could still definitely be better improved," Trend Micro says. "The process of improvement will take time, given the complexity of CI systems and the large number of players involved in the industry, but creating awareness about the vulnerable areas that need immediate attention helps expedite the process."

Previous and related coverage