Hackers can exploit a new niche of widespread security vulnerabilities ushered in the by the rise of the Internet of Things (IoT) to target and seize control of critical public and private infrastructure in the US, according to a new report from CyberNews.

The reason US infrastructure is so vulnerable is because many of these systems are run by legacy Industrial Control Systems (ICS) which were designed without cybersecurity in mind. CyberNews‘ research found that many ICS panels for both public and private infrastructure in the US are still unprotected and easily accessible to hackers despite growing investments in infrastructure security.

These control systems are not only left exposed online but they can also be easily seized and manipulated by anyone on the internet. If a coordinated cyberwarfare campaign were to occur, these control panels could be used by attackers to cause severe damage to private and public property, the environment and even the public health and safety of the US population.

While cybersecurity experts have worked for decades to raise awareness of the potential dangers of unsecured ICS panels, their efforts have not yet been successful at changing how these systems are secured against attacks. CTO and CISO at BeyondTrust, Morey Haber explained to CyberNews that off-the-shelf components could be partially to blame, saying:

“The problem is not a lack of understanding of the situation, but rather the time, cost, process, and suitable replacements for legacy technology. With many control systems based on commercial off-the-shelf (COTS) technology, end-of-life scenarios and the lack of affordable extended support solutions renders environments paralyzed balancing budgets between replacing systems or paying for high price extended maintenance.”

Unprotected Industrial Control Systems

As part of an internet mapping project, CyberNews scanned IP blocks for open ports in the US IP address range to discover a number of unprotected and accessible Industrial Control Systems in the US. Hackers could use these same tactics to find and remotely take control of critical private US infrastructure.

While institutions and cybersecurity experts are all aware of the dangers found in these outdated ICS systems, many ICS access points in the US in the water and energy sectors are still vulnerable to attacks. For instance, CyberNews’ research found onshore oil wells, coastal oil wells, public water distribution systems, public water treatment facilities and a public sewer pump station that were all left exposed online and accessible without a password.

The news outlet’s report found that virtually anyone with a specific skill set and a special interest could cause harm to critical US infrastructure. Some examples outlined in its report include silencing alarms on oil wells, infecting the water supply by shutting down disinfectant production or causing town-wide or farm wide water outages. All of these potential attack scenarios could physically affect thousands in the US and have a devastating impact on the businesses that operate these systems.

Thankfully though, CyberNews contacted CISA, CERT and the public and private owners of the unsecured systems it found and open access to them has now been disabled. While we may avoided disaster for now, the fact that so many unsecured ICS systems exist in the US still remains a cause for concern and hopefully the news outlet’s report will help to raise more awareness of this issue.