A recent report from Forescout shows that 56 vulnerabilities exist in commonly used operational technology (OT) devices. According to the Cybersecurity and Infrastructure Security Agency (CISA), these vulnerabilities are “caused by insecure-by-design practices in operational technology across multiple vendors. The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.”
Many municipalities, counties, and water/sewer authorities use OT as part of their critical infrastructure. In recent years, critical infrastructure has become a national security concern as cyberattackers seek to physically harm the public. Unfortunately, many OT systems are “insecure-by-design,” meaning that security vulnerabilities are literally embedded in these products.
While there is a lot of debate about the reasons why such products are released, there is no debate that “insecure-by-design” leads to vulnerabilities. The top three, according to Forescout, are:
- Compromised credentials (such as usernames and passwords)
- Firmware manipulation (such as exploiting the lack of a software patch)
- Remote code execution (similar to how cyberattackers exploit software vulnerabilities in servers and computers)
VC3 does not support OT systems but we are concerned enough about cybersecurity that we highly encourage you to contact your supervisory control and data acquisition (SCADA) vendor to ensure they are following basic cybersecurity best practices including:
- Scanning and monitoring your systems for security vulnerabilities and suspicious activity
- Patching software
- Identifying any vulnerable OT assets based on the Forescout report
For more information, you can read CISA’s report and the full Forescout report.