ADolus Technologies discovers 57 per cent of control systems are highly vulnerable to cyberattack
In a world where hackers attack home computer systems to steal identity, bank and credit card information, there is ever-present danger of cyberattack to hardware that controls everything from traffic lights to gas and water pipelines and the electrical grid.
Lantzville-based cybersecurity company aDolus Technology, which specializes in security of industrial control systems, was called upon to collaborate on this year’s Microsoft Digital Defence Report. The annual report is studied by governments and industry to keep them updated on current and evolving cybersecurity threats.
ADolus contributed its research dealing with threats to operational technology and the ‘internet of things’ to the report released this month. ADolus was the only company Microsoft collaborated with on the report, said Eric Byres, the company’s chief technology officer.
“The report’s a big deal. It’s one of the big news items of the [cybersecurity] year, except for when something bad happens, and it’s sort of required reading for government officials…” Byres said. “Out of the 127-page report, we were the only other company that they collaborated with, which kind of blew me away. I kind of figured they were collaborating with a bunch of people … we were it. Just us.”
Byres said Microsoft had massive amounts of data from about 1,200 of the most popular makes, models and versions of the products that are considered “mission critical” to industrial control systems around the world.
“What we did with that is our guys wrote a bunch of artificial intelligence routines to then sort of correlate with vulnerabilities,” Byres said.
The generated data allowed the aDolus team to look at the types of control units, their age, operating systems, updates including security updates, patches and known vulnerabilities.
“It was hard work to build all that AI out and have do all this hunting on the Internet to find all those vulnerabilities … The first thing that shocked us about the whole thing was, wait a minute, 40 per cent of these mission-control systems are running [operating] systems that are 10 years old. Like, what?,” Byres said. “Everybody tells you to go patch your Windows, patch your phone, make sure you have it running on the latest version of iPhone, but you’re not patching something that’s running a factory or a refinery? So, yeah, we were a little surprised.”
In other words, what Byres and his team discovered was that industrial control systems cybersecurity and ability to ward off cyberattack is in worse shape than they thought. The Microsoft report stated that 57 per cent of devices on legacy firmware are exploitable to a high number of common vulnerabilities and exposures.
“The significance of maintaining a comprehensive [operational technology] patch management system cannot be overstated,” the report noted.
To learn more about the current state of cybersecurity worldwide, visit the Microsoft Digital Defence Report 2023 at www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023.
To learn more about aDolus Technologies, visit http://adolus.com.