Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates

Researchers from Forescout’s research arm, Vedere Labs, have raised an alarm about ignored security threats to exposed critical infrastructure environments. They examine the evolution of exposed OT/ICS (operational technology/industrial control system) data from 2017 to 2024 and highlight a complete disregard for critical infrastructure threats and the possibility of a mass attack. 

In their report titled ‘Better Safe than Sorry,’ the Forescout researchers determine that these internet-exposed OT/ICS devices are fertile ground for abuse as attackers look no further than using basic rationale driven by current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or readily available hacking guides to create chaos. Furthermore, such exposure continues to be a critical infrastructure security issue despite decades of raising awareness, new regulations, and periodic CISA advisories. 

“Moreover, opportunistic attackers are increasingly abusing this exposure at scale — sometimes with a very lax targeting rationale driven by trends, such as current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or hacking guides,” the report disclosed. “A recent wave of attacks by the Iranian-affiliated Cyber Av3ngers hacktivist group targeted Israeli-made Unitronics Programmable Logic Controllers (PLCs) around the world. One of the attacks occurred at a water utility near Pittsburgh bringing the timeless issue of internet-exposed OT/ICS into the spotlight once more.” 

“If these warnings sound familiar, it’s because they are. The looming potential for a mass target scenario is high,” Elisa Costante, vice president of research at Forescout Research – Vedere Labs, said in a media statement. “Forescout calls on vendors, service providers, and regulatory agencies to work collectively to prevent attacks on critical infrastructure that will spare no one.”

Vedere Labs identified countries and device types where exposure has been reduced but still poses risk. “Then, we analyze details of three recent cases of device exposure beginning with the Unitronics attack wave. Additionally, we discuss our attempts to proactively identify and notify asset owners with exposed Schneider Electric Modicon and Wago 750 PLCs. And, lastly, we delve into the exposure of devices using the Nucleus NET and NicheStack TCP/IP stacks — which was the subject of our research in Project Memoria,” it added.

The report revealed that the U.S. and Canada have significantly reduced exposed devices while EU countries and Russia have expanded. With nearly 110,000 internet-facing OT/ICS devices worldwide in January 2024, the U.S. has 27 percent of exposed devices followed by Italy, Spain, France, and Canada with a combined total of 17 percent. Only the U.S. and Canada significantly reduced the number of exposed devices during the period of study by 47 percent in the U.S. and 45 percent in Canada. The other top 10 countries that increased the number of exposed devices are Spain at 82 percent, Italy at 58 percent, France at 26 percent, Germany at 13 percent, and Russia at 10 percent.

Forescout highlights that manufacturing and building automation protocols make up a major portion of exposed device types. Modbus represents 29 percent of exposed services, followed by three building automation protocols – KNX, BACnet, and Tridium Fox – with a combined total of 32 percent. The top 10 types of exposed services remained mostly constant since 2017, but Tridium Fox, Lantronix, and MOXA Nport saw a significant decrease in the number of devices (70 percent for the first two and 53 percent for the last), while Modbus and Siemens S7 saw an increase of 48 percent for Modbus and 121 percent for S7. Some of these reductions correlate with proactive research and government notification. 

Furthermore, many of these internet-exposed OT devices and protocols appear to be the result of system integrator practices, such as delivering packaged units that act as black boxes to asset owners and inadvertently exposing multiple systems to the internet as part of standard setups. In all likelihood, most asset owners are unaware these packaged units contain exposed OT devices. Once again, this situation highlights the need for an accurate and granular software and hardware bill of materials as part of a comprehensive risk management strategy.

Forescout reported that while a combination of CISA alerts and media attention in the wake of the Unitronics hacking attacks has resulted in a reduction of almost 48 percent in internet-exposed Unitronics PLCs in two months, this is a highly reactive approach. “The decrease of Unitronics devices in Israel started in early 2022 coinciding with the earliest attacks reported on those devices. In the US, the decrease only started at the end of 2023 following recent attacks,” it added. 

The report detailed that nearly half of previously reported ports are still open. “Considering the historical targeting of Modicon and Wago PLCs, we reassessed these exposed devices a year after we originally reported some of them to CISA. About half of the reported PLCs still had the same ports open with no changes or measures taken. About 30% were no longer internet-exposed while the other 20% remained exposed but had closed the OT port in question. However, FTP and web interfaces were still open occasionally,” it added. 

Additionally, less than 1,000 exposed devices are currently running Nucleus, and around 5,500 running NicheStack, which is a significant reduction from Forescout’s original research. These reductions happened even though there is no evidence of attacks targeting these vulnerabilities or these devices directly.

In its conclusion, Forescout said “We show how internet exposure of OT/ICS continues to be a timely issue and how opportunistic attackers are increasingly abusing this exposure at scale. Many internet-exposed OT devices are the result of system integrator practices where asset owners are likely unaware of exposed devices. To reduce risk, organizations should proactively leverage targeted notifications.” 

Due to the increased scope of attacks on exposed OT/ICS, Forescout recommends that asset owners harden connected devices, starting by identifying every device connected to the network, and enumerating known vulnerabilities, used credentials, and open ports. Change default or easily guessable credentials and use strong unique passwords for each device. They must also disable unused services and patch vulnerabilities to prevent exploitation, make sure that the organization has an accurate picture of their internet-exposed assets, and not assume that they will never be a target. 

The researchers also called upon organizations to make sure their asset inventory is granular enough to cover third-party ‘black box’ systems and ensure cyber-security best practices form an integral part of all Site Acceptance Tests (SATs). They must also segment the network to isolate IT, IoT, and OT devices, limiting network connections to only specifically allowed management and engineering workstations or among unmanaged devices that need to communicate. They must also ensure administrative interfaces, such as web UIs and engineering ports on connected devices are behind IP-based access control lists or are only accessible from a separate, VPN-protected management VLAN. 

Vedere Labs called upon organizations to use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors; and watch internal systems and communications for known hostile actions, such as vulnerability exploitation, password guessing, and unauthorized use of OT protocols. Finally, monitor the activity of hacktivist groups on Telegram, Twitter, and other sources where attacks are planned and coordinated. They must also monitor what kind of hacking material gets shared in these communities giving early warning as to what exposed systems are more likely to be targeted than others. 

The report determines that there is a wealth of different protocols and devices exposed but opportunistic attackers seem to prefer whatever happens to have a Metasploit module or a guide available, walking them through the engineering software step-by-step.

Earlier this month, the Vedere Labs researchers uncovered an exploitation campaign targeting organizations utilizing Fortinet’s FortiClient EMS, which is susceptible to CVE-2023-48788. This campaign, dubbed ‘Connect:fun,’ is named for the use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Forescout’s initial named campaign. The incident involved a media company affected by CVE-2023-48788, with indications suggesting a potential threat actor active since at least 2022, focusing on Fortinet appliances and utilizing Vietnamese and German languages within their infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.