In a two-year study of information about critical control systems directly connected to the Internet, researchers found mining equipment, a surprising number of wind farms, a crematorium, water utilities, and several substations.
“The team had no idea of the scope, or magnitude, as to how extensive this issue was,” wrote Robert Radvanosky, owner and principal of Infracritical, one of the main researchers behind the project.
Project SHINE (so named after SHodan INtelligence Extraction) harvested data available about SCADA and industrial control system devices which appear to be directly connected to the Internet from April 2012 to January of this year. Custom search engine SHODAN contains a wealth of information, including the IP address of the device, geographic location (including latitude and longitude coordinates), owner, service port header information, firmware details, and available protocols. All the information was obtained from publicly available sources, which means the information is available for anyone motivated enough to look for it.
Considering that many of these SCADA and control systems have Web (HTTP), file transfer, network management (SNMP) or Telnet enabled by default, it is “reasonable to assume that most search engines have probably discovered these devices,” the report said.
Researchers have long speculated that many control systems’ assets such as remote terminal units or programmable logic controllers were exposed to the Internet. Some researchers have previously used SHODAN to show example of SCADA and other industrial control systems directly connected to the Internet, but there haven’t been any large-scale or in-depth effort to map the extent of the problem. Project SHINE attempts to identify the types of information available, and the potential risks of having that information exposed.
The sheer number of devices exposed and the wide geographic area the devices were located were staggering, Radvanosky told SecurityWeek.
Researchers identified 182 manufacturers who were considered traditional SCADA and control system manufacturers, and built relevant search queries based on those names to find devices. That was a surprise, considering the team expected only a dozen or so manufacturers. In the end, the team sampled about 2.2 million devices during the course of the project.
The project didn’t end in January because the team found everything. “We didn’t see an end to this effort, so we decided to put a stake in the sand and say, ‘At this point we have enough data to report about this.’ This is a snapshot,” Radvanosky told SecurityWeek.
Of the sampled devices, roughly a quarter of them, or 586,997 industrial systems—such as RTUs and PLCs—were manufactured by vendors such as Allied-Telesys, Niagara, DIGI International, Intoto, Siemens, Lantronix, Moxa, EnergyICT, and VXWorks. EnergyICT, Siemens, and Moxa were the most widely used.
Another 13,475 devices were HVAC and building automation systems from Bacnet International, Bosch Automation, Honeywell, Lennox, and LG Electronics. Heatmiser and Honeywell accounted for the most of the devices in the sample. Considering HVAC and automation systems as part of SHINE’s data set was important considering many attackers are using these systems as an indirect avenue of attack, Radvanosky said. These systems let attackers come into the network and scan to find out what other systems are accessible. Consider what happened with Target, and with a number of healthcare organizations recently, he said.
Then there are the 204,416 serial-to-Ethernet devices in the sample, from vendors such as Allied Telesis, Digi International, Moxa, and Lantronix. These devices are even more worrying because they bypass traditional firewalls and can be accessed directly, Radvanosky said. These devices are particularly common in electric and water utilities. The system integrators are thinking about ease of deployment and simplicity, and assuming no one will know to look for these devices in the first place, Radvanosky said.
Most of the system integrators and organizations have no idea just how exposed they are, Radvanosky said. The lack of information is pervasive, as they may not know how to secure these devices in the first place, not know what devices they have, or not be aware that they have devices on the network that is visible from the Internet.
The goal of SHINE is to get organizations to start thinking about the problem and start auditing their environments, Radvanosky said. Organizations are often engaging in “good enough security,” which ignores the fact that security is an ongoing process. There needs to be active review of the engineering design where security questions are thoroughly reviewed. Organizations need to start looking at security “as part of design and implementation reviews,” he said. Something that was secure today may not be secure tomorrow, and will definitely not be secure a year from now unless steps are taken to keep up with changes.
Many times, security is treated as a one-time review, and then forgotten until a researcher finds an issue. “Then they are shocked and surprised,” Radvanosky said.
Radvanosky and Jake Brodsky, the co-principal of Infracritical worked on SHINE “outside our normal work duties,” he said. The goal was to not place the blame on anyone, but to identify the scope of the problem so that issues can be fixed, he said.
“The raw data that was accumulated is potentially dangerous information,” the report said. Full disclosure about what the researchers found could be used in an attack against the systems. The goal of the report is to make the public aware of the extent information is exposed and the severity of the situation, the authors wrote. “We feel a community effort should begin somewhere, starting first with public awareness,” the authors concluded.
Radvanosky is expected to share his findings at the 2014 ICS Cyber Security Conference taking place in Atlanta later this month.