Internet-Exposed HMIs Put Energy, Water Facilities at Risk: Report
30.10.2019 securityweek ICS

Malicious actors could cause serious damage to organizations in the energy and water sectors by targeting their human-machine interfaces (HMIs), according to a report released by Trend Micro on Tuesday.

The security firm’s researchers have used the Shodan search engine and other sources to find Internet-exposed industrial control systems (ICS), particularly HMIs. They showed how attackers could find the physical location of energy and water companies using public sources, and then map the locations to IP addresses through geolocation services such as Maxmind.

Experts noted that while these geolocation services are not very accurate, they do provide a list of possible IP addresses, which the attacker can validate using Shodan or port scans.

They discovered tens of devices used by oil and gas, power systems, water utility, and biogas organizations located in Europe, the United States and other parts of the world. Researchers found that in many cases the HMIs were accessible via unauthenticated VNC servers, allowing potential attackers to interact with their interface using VNC viewer applications.

The number of exposed devices was relatively small and all systems were housed by small and medium-size companies. However, researchers warn that these smaller companies can have a significant impact on the security posture of large corporations as they are often part of the supply chain.

Many of the identified HMIs included critical functionality, including for alarms, changing parameters, and starting or stopping processes. If malicious hackers gain access to these systems, they could easily cause failures or inflict significant damage.

For example, one of the exposed HMIs was used by a water treatment plant. An attack on the facility via the exposed system could lead to drinking water shortages or a public health crisis caused by waterborne diseases, Trend Micro said.

Another exposed HMI belonged to an oil and gas company. An attacker with access to this device could shut down oil and gas wells, potentially causing a state-level or national shortage, the security firm warned.

Similarly damaging attacks could also be launched against solar farms, power plants, and hydroelectric facilities controlled and monitored using the HMIs identified by researchers.

In addition to hijacking the HMI and conducting various activities via its interface, experts warned that malicious actors could launch distributed denial-of-service (DDoS) attacks that cause disruptions to critical processes and result in serious material damage, exploit vulnerabilities in the HMI systems themselves, and abuse them for lateral movement within the targeted organization’s network.

Trend Micro researchers did not expect to find too many individuals interested in industrial systems on underground cybercrime forums, as these types of campaigns are typically the work of state-sponsored groups. However, they were surprised to see that there are some threat actors looking to acquire credentials for ICS/SCADA systems. Experts also found requests to disrupt the industrial systems of competitors, and opportunistic sellers trying to monetize data stolen from industrial facilities.

“While the number of exposed energy and water devices/systems that we discovered was relatively small, it is still a cause for concern because these systems should not be exposed online in the first place,” Trend Micro said in its report. “The good news is that we didn’t find exposed assets from the well-known big corporations and/or state owned entities that operate CI. The exposed assets that we found were mostly owned/operated by small companies. However attackers are not bound by the same restrictions that researchers are bound by — so this does not mean larger companies are necessarily fully secure. The bad news is that smaller companies frequently are part of the supply chain that feeds resources to big corporations; thus, a cyberattack against a small company can indirectly affect bigger corporations.”