The energy sector is an essential component of American critical infrastructure. Virtually all other aspects of critical infrastructure depend on reliable energy to power their operations.
As such, the energy sector in the United States is highly targeted by both state-sponsored and financially-motivated cyber threat groups. Energy industry enterprises face an increasingly hostile threat landscape and must pay close attention to all the exposures that could potentially be targeted by bad actors.
Motivation & Methodology
The goal of this research project is to assess the cybersecurity posture of large organizations in the energy sector, identify trends that may indicate systemic risk, and provide data-based guidance to security leaders within the industry.
To conduct this research, SixMap evaluated 21 of the largest American energy providers. SixMap discovered all domains and IP addresses, across both the IPv4 and IPv6 spaces, that belong to each organization. Once all the hosts were inventoried, we inspected all 65,535 ports on each host to identify all the services exposed to the web. Each service was fingerprinted to document the vendor, software product, and exact version in use. This data was then used to determine whether there are known CVEs associated with those exposures.
This research did not engage in any intrusive or harmful activity. Only publicly available data obtained from Internet-facing systems was used. As such, this external vantage point cannot see internal mitigating controls that would minimize the damage in the event of attack or exploitation.
IPv6 Is More Common Than You Might Think
One of the major findings of this research is that IPv6 usage is becoming commonplace. Each of the 21 organizations evaluated for this project had numerous IPv6 hosts exposed to the public Internet.
This may be a surprising finding to some. At SixMap, we often speak with security leaders who are adamant they do not have any IPv6 assets. However, after running our discovery procedure, which finds all hosts across IPv4 and IPv6, we regularly find IPv6 assets for almost every large organization we evaluate. Most security leaders are not aware of these assets because their current toolset cannot discover or assess hosts in the IPv6 space.
Over the course of this project, SixMap found 39,986 IP addresses in sum, or approximately 1,900 IP addresses per organization. A total of 2,253 IP addresses were in the IPv6 space. That means, in aggregate, about 6% of IP addresses were running on IPv6 across all 21 enterprises.
Per organization, the share of IPv6 hosts ranged from 0.3% all the way up to 31%. On average, each organization had 9% of its hosts in the IPv6 space, a surprisingly high share and an area of potential risk as these assets are not tracked by traditional exposure management tools.
7% Of Exposures Are Out of Sight For Most Tools
A second major finding of SixMap’s research: a sizable share of services are exposed on non-standard ports. Approximately 7% of services were running on ports that fall outside of the top 5,000 most commonly-used ports.
This is a significant percentage of exposures, as traditional exposure management and attack surface management products typically inspect only the top 1,000 to top 5,000 ports. That means roughly 7% of services are not identified or assessed by legacy tools, leaving blindspots and potential risks open to attack.
This raises an important question: why are services running on non-standard ports? There are several possible explanations.
One is a “security through obscurity” approach, where some services are run on high port numbers in the hopes that attackers won’t find them. An example is running SSH on a high port (say, port 46,819) rather than port 22. This is generally not considered good security practice, since unnecessary exposures shouldn’t be exposed and attackers will find these ‘hidden’ services anyway. Necessary exposures should be hardened so that they’re secure, whether or not attackers know they exist.
Another possible explanation is a service that was created with a short-lived use case in mind, but was never taken down once the temporary need was fulfilled. Yet another possibility is a simple mistake. In other words, the service was never intended to be run on a non-standard port in the first place, but it was due to human error.
Whatever the cause, unknown exposures create risk. Most commercial products do not look at all 65,535 ports by default so, if services are running on non-standard ports, they create invisible exposures that lead to risks for the enterprise. It’s important to fully assess all 65,535 ports on every host to get more complete exposure data.
Not All Vulnerabilities Are Created Equally
The third major finding of SixMap’s research is the set of vulnerable services. A total of 5,756 CVEs were detected (including duplicates when the same CVE was present on multiple hosts).
Of course, not all CVEs are equal in terms of risk. There are many factors to consider when judging the risk of a particular CVE, including the ease of exploitation, the severity of impact if the exploit is successful, whether or not the CVE is known to be exploited in the wild, the likelihood of exploitation, and more. Business context, such as the importance of the host where the CVE sits, should also be taken into account.
Of the 5,756 CVEs that SixMap identified, 377 have been exploited in the wild. Among those 377 CVEs known to be exploited, 21 are in vulnerable services running on non-standard ports, which indicates a very serious level of risk. If the CVEs are both known to be exploited and present on ports outside the purview of most exposure management tools, threat actors could potentially exploit the vulnerability and fully compromise the host without detection.
There are 43 distinct CVEs common to at least 10 of the 21 (45%) organizations evaluated for this research. For each of those 43 common CVEs, there is at least one instance of the associated vulnerable service running on a non-standard port. Further, 6 of the 43 CVEs are known to be exploited in the wild. This suggests a small handful of vulnerabilities are potentially systemic risks across the American energy sector.
Download The Full Report Now
SixMap is making the full Energy Sector Exposure Assessment Report available for download. Check out the full-length report to access all the data, gain more insights, and understand how to preemptively secure your organization before an attack takes place.
