Standard security practices among IT companies do not necessarily carry over to the IT departments of other firms, leading to products sold without basic security measures in place.
Vulnerabilities in Industrial Control Systems are an outsized threat in the manufacturing sector, and can have ripples in the economy at large—as well as in national security—as this equipment is used extensively across the energy sector. Despite this, vulnerabilities discovered in industrial equipment increased 30% in 2018, according to security research firm Positive Technologies, which announced Thursday the discovery of vulnerabilities in APROL industrial process automation systems made by B&R Automation.
This is not by any means a groundbreaking discovery of some byzantine attack strategy—the vulnerabilities discovered are simply a case of ignoring basic security hygiene, such as disabling unencrypted FTP access, removing the finger utility, disallowing SSH access as root (using passwords), rate-limiting unsuccessful login attempts, encrypting VNC access, and disabling anonymous access to LDAP servers.
SEE: Special report: The rise of Industrial IoT (free PDF) (TechRepublic)
Some of the vulnerabilities are more consequential, though roughly equally basic, with Positive Technologies researchers finding "errors in memory access in TbaseServer component, errors in AprolLoader and AprolSqlServer components, SQL injection in EnMon energy consumption monitoring and record system, with the possibility of introducing arbitrary commands in the web server," according to a press release.
Though B&R Automation has patched the vulnerabilities, users of prior versions of APROL R will need to manually install updates.
Proliferation of unpatched systems—particularly for industrial settings—is an outsized security risk, providing fertile ground for pernicious attacks such as WannaCry to persist years after patches were made available.
For more, check out "Most businesses 'overconfident' in their ability to stop cybersecurity breaches," "Survey: IT industry vets do not think today's new IT professionals have adequate training," and "4 ways leaders can prepare for the coming Fourth Industrial Revolution" on TechRepublic.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Windows 10 security: A guide for business leaders (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)