The looming prospect of cyberwar—considering the present state of geopolitics—is increasing tensions around the world, though stakeholders in critical industries are not doing enough to protect against potential damage, according to cybersecurity ratings company BitSight, in a Tuesday blog post.
The potential risks associated with compromised systems are severe. Last year’s widely-publicized VPNFilter attack that infected 500,000 home routers was thought to be a reprise of the BlackEnergy attack from December 2015 that left more than 225,000 in Ukraine without electricity for up to six hours. Both are posited to be the work of Russian state-sponsored threat actors.
BitSight points to a similar incident in December 2016, in which Russian hackers gained access to a computer owned by Vermont-based Burlington Electric, which the company characterized as “a laptop not connected to its grid systems.” CBS News further reported that “Burlington Electric Department spokesman said federal officials have told company officials the threat was not unique to them.”
SEE: Special report: Cyberwar and the future of cybersecurity (free PDF) (TechRepublic)
In aggregate, utilities rank roughly in the middle of enterprises as a while, with a score of 740, while “majority of organizations [fall] between 700 and 770,” according to BitSight’s estimations. BitSight found “51% of utility organizations with no vulnerable services and 45% with no out-of-date systems,” though the organizations that have security problems have extensive security problems, with over 6% of utilities companies having over 100 insecure ports, and over 12% having in excess of 100 out-of-date systems.
The impending end of support for Windows 7 could dramatically shift those figures, as enterprises have been hesitant to upgrade due to poor reception of Windows 8, and ongoing issues with Windows 10.
BitSight also observed that “nearly 5% of utilities are still exposed” to the BlueKeep vulnerability, noting that “This vulnerability, if exploited by an external attacker, will lead to full system compromise, without requiring any form of authentication or user interaction. According to BitSight research, the electric utilities sector is the fourth worst performing sector when it comes to patching this critical vulnerability.”
For more, check out “Vulnerabilities in industrial control systems surface lack of basic security hygiene” and “Vulnerabilities in industrial Ethernet switches allow for credential theft, denial-of-service attacks” on TechRepublic.