Vulnerabilities in industrial control systems surface lack of basic security hygiene

Standard security practices among IT companies do not necessarily carry over to the IT departments of other firms, leading to products sold without basic security measures in place.

Vulnerabilities in Industrial Control Systems are an outsized threat in the manufacturing sector, and can have ripples in the economy at large—as well as in national security—as this equipment is used extensively across the energy sector. Despite this, vulnerabilities discovered in industrial equipment increased 30% in 2018, according to security research firm Positive Technologies, which announced Thursday the discovery of vulnerabilities in APROL industrial process automation systems made by B&R Automation.

This is not by any means a groundbreaking discovery of some byzantine attack strategy—the vulnerabilities discovered are simply a case of ignoring basic security hygiene, such as disabling unencrypted FTP access, removing the finger utility, disallowing SSH access as root (using passwords), rate-limiting unsuccessful login attempts, encrypting VNC access, and disabling anonymous access to LDAP servers.

SEE: Special report: The rise of Industrial IoT (free PDF) (TechRepublic)

Some of the vulnerabilities are more consequential, though roughly equally basic, with Positive Technologies researchers finding “errors in memory access in TbaseServer component, errors in AprolLoader and AprolSqlServer components, SQL injection in EnMon energy consumption monitoring and record system, with the possibility of introducing arbitrary commands in the web server,” according to a press release.

Though B&R Automation has patched the vulnerabilities, users of prior versions of APROL R will need to manually install updates.

Proliferation of unpatched systems—particularly for industrial settings—is an outsized security risk, providing fertile ground for pernicious attacks such as WannaCry to persist years after patches were made available.

For more, check out “Most businesses ‘overconfident’ in their ability to stop cybersecurity breaches,” “Survey: IT industry vets do not think today’s new IT professionals have adequate training,” and “4 ways leaders can prepare for the coming Fourth Industrial Revolution” on TechRepublic.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

PURPOSE The purpose of this Security Response Policy from TechRepublic Premium is to outline the security incident response processes which must be followed. This policy will assist to identify and resolve information security incidents quickly and effectively, thus minimizing their business impact and reducing the risk of similar incidents recurring. It includes requirements for both ...

Vulnerabilities in industrial control systems surface lack of basic security hygiene