A recent study conducted by Positive Technologies has revealed 91% of industrial companies are vulnerable to cyberattacks. Positive Technologies’ penetration testers determined vulnerabilities had not been addressed in all of those companies, and that external cyber threat actors could exploit the security vulnerabilities to gain access to their corporate networks, obtain credentials, and take full control of their IT infrastructure.
Out of the 91% of vulnerable companies, 69% had left sensitive data exposed which could easily be exfiltrated by external hackers, including the individually identifiable personal information of employees and partners and internal documentation.
At 75% of vulnerable companies, the pen testers gained access to the technological parts of the network, and in 56% of cases, were able to access industrial control systems. If the pen testers had been cyber threat actors, they could have installed malware or ransomware and conducted a devastating cyberattack that would cause a complete shutdown of production. It would also be possible to cause permanent damage to IT systems, or cause industrial equipment to fail, which would put the safety of workers at risk and could potentially result in loss of life.
A range of vulnerabilities were identified that could be exploited, including the continued use of outdated software with known unaddressed vulnerabilities. The pen testers also found many of the companies saved usernames and passwords in remote access authentication forms. That means that if a hacker were able to gain access to a company computer, they could then login to resources in isolated segments of the network without having to obtain credentials.
Evidence was found during the investigations that suggested several of the industrial companies had already had their systems compromised. The researchers identified suspicious events in the networks of each of the companies whose security defenses they had breached, which could indicate they were not the first individuals to exploit the security weaknesses. At one of the companies, the pen testers discovered an RDP connection had been made to an external cloud storage repository and 23GB of data had been exfiltrated via RDP and HTTPS.
“Today, the level of cybersecurity at most industrial companies is too low for comfort. In most cases, Internet-accessible external network perimeters contain weak protection, device configurations contain flaws, and we find a low level of ICS network security and the use of dictionary passwords and outdated software versions present risks,” said Olga Zinenko, senior analyst, Positive Technologies.