Most of Canada and the US’s power, water and manufacturing facilities leverage some kind of industrial control system (ICS). These systems are usually built on Windows and have some kind of front end backing onto the Internet, which means they are prime targets for web based attacks.
The problem is that a lot of the systems that are used don’t necessarily function well with some of the patches released by Microsoft to patch these environments. So this means that either they have to forego the patch, or buy new systems that can implement these patches. Inherently, this makes these critical systems one of the easiest and most impactful targets for cyber criminals.
The main complication of these types of environments lies in the fact that it is almost impossible to do any type of maintenance in the environment as you can’t necessarily bring it offline to do any scanning or patching as these systems often require to be running 24/7/265. An alarming fact is that these systems often require an administrator to be logged in at all times and the password shared between all shifts and changed once a year.
There are tools that can monitor ICS-based networks, but the real problem is that these systems are so delicate and must run all the time, that there is hesitation to do any type of modifications (including putting in security controls) that could disrupt service delivery. This means that the security controls are going to be pretty relaxed, making it a prime target for hackers to use attacks such as Stuxnet as in the attack used against an Iranian nuclear facility back in 2010.
Vendors have been working with users to try to introduce security controls that can be implemented into these systems, but by nature, these users aren’t security professionals and so trying to get them to introduce something they see as a potential risk to uptime makes it a hard sell. Add to that the fact that the more publicity vendors bring to this issue, the more encouragement they are providing to attackers by showing them the vulnerabilities.
There will always be risks to these systems, and because they are such a critical backbone to the functionality of the nation, they are a high-profile target. It is the existence of these types of vulnerabilities that are fueling the cyberwar fire.