The threats of anomalies in Industrial Control Systems
With a Rhebo Industrial Security Assessment, industrial companies and operators of critical infrastructure gain complete transparency of their Industrial Control System (ICS). All suspicious componentes, connections and communication processes are identified. The results enable those responsible for cybersecurity to immediately eliminate threats and to secure their ICS.
The following examples showcase typical results from Rhebo audits and the identified anomalies.
Also, explore the technical error state anomalies that threaten the productivity of automated manufacturing companies.
Preventing Malware Infection
-
Analysis
Rhebo Industrial Protector registered multiple communication via the protocol types VNC, NetBIOS and SMB. The protocols are typically used by Windows devices for remote configuration and file sharing.
Their usage is usually not wanted in industrial networks.
-
Security Threat
The protocols are often used by malware (e.g. NotPetya and WannaCry). If the affected devices have direct or indirect access to the Internet, the ICS is at risk of compromise or infection.
Threats:
- financial loss due to production downtime
- power failure due to blackout
- system recovery and repair costs
Deactivating Insecure Ports
-
Analysis
Rhebo Industrial Protector frequently identifies communication via ports for which security vulnerabilities are known (i.e. CVE vulnerabilities). In some cases, this anomaly correlates with suspicious communication patterns.
For example, in one case Rhebo Industrial Protector reported communication over a questionable port used by the Windows WBT Server for Remote Desktop Protocol (RDP). Only a few packets were transmitted during the communication, which is uncharacteristic for RDP connections.
-
Security Threat
Ports for which vulnerabilities are known are regularly used by Trojans and malware for communication.
The characteristics of the exemplary communication (short-term and encrypted) additionally support the assumption of malicious communication and a compromise of network components.
Threats:
- financial loss due to production downtime
- power failure due to blackout
- system recovery and repair costs
- loss of customer trust
Remedying Software Vulnerabilities
-
Analysis
The analysis identified some devices communicating via software for whose current version in use serious vulnerabilities are known.
The used ports and access patterns were particularly noticeable.
-
Security Threat
The known security gaps allow attackers to crash the system or execute arbitrary code (i.e. malware). This poses an acute threat to system security.
Threats:
- financial loss due to production downtime
- disrupted supply due to blackout
- system recovery and repair costs
Blocking Unauthorized Assets
-
Analysis
A device in the control network used an independently assigned fallback IP address.
This anomaly often occurs when a new device does not receive an IP address from the authorized DHCP server for various reasons.
The device is obviously not known in the network.
-
Security Threat
Potentially the device was placed with malicious intent to spy on the network or install malware. Furthermore, unknown devices and their communication can compromise the functionality of the ICS leading to malfunctions or disruptions.
Threats:
- financial loss due to theft of intelligence
- financial loss through downtime
- loss of customer trust
Deactivating Hidden Internet Connections
-
Analysis
Rhebo Industrial Protector registered many DNS requests to servers on the Internet, which are located in address spaces of different CDNs (Content Distribution Networks).
The requested servers are located on the Internet and it is not clear who is operating them.
-
Security Threat
There is a high risk that malware or ransomware is installed in the network via such servers. Furthermore, hackers can use this access for industrial espionage.
Threats:
- financial loss due to theft of intelligence
- potential costs through downtime
- loss of customer trust