A study conducted by Trend Micro using the Shodan search engine provides some useful information on the exposure of critical infrastructure and industrial systems in the United States.
The study, based on a Shodan search performed in February 2016, targeted cyber assets in critical infrastructure and other sectors (e.g. government, emergency, healthcare, utilities, financial services and education), and industrial control systems (ICS), such as the ones used for building automation, manufacturing processes, power generation and traffic system management.
Researchers determined that in the government sector a majority of the exposed cyber assets were firewalls (48%), wireless access points (13%), specialized devices (9%), routers (6%) and other security devices (6%). Several unpatched servers have been found in these organizations, including ones running Apache Tomcat, Microsoft IIS and Apache HTTPD.
The study showed that the number of cyber assets exposed in Washington, DC is smaller than in Lafayette, Louisiana, and Saint Paul, Minnesota.
Lafayette and Houston, Texas, have the highest number of exposed cyber assets associated with emergency services, although only a few hundred were discovered in each of these cities.
Firewalls, printers and routers account for a majority of the exposed devices in the emergency services sector. Trend Micro pointed out that vulnerable servers have not been identified in these organizations.
While the healthcare industry has been increasingly targeted by cybercriminals, the Shodan search showed a relatively small number of exposed assets in this sector, mainly firewalls and other security devices. On the other hand, some vulnerable servers were exposed by these organizations. The highest number of exposed assets were identified in Cambridge and New York City.
When it comes to the utilities sector, Trend Micro has determined that the exposed cyber assets are primarily located in small cities and towns. The largest number of devices, which are mainly wireless access points and firewalls, were discovered in Clarksville, Hopkinsville, Braintree, Ocala and Bismarck.
In the financial sector, New York City has the highest number of exposed assets (nearly 15,000), which is not surprising considering that the city is a global financial center. Firewalls and other security devices account for more than 90 percent of the exposed devices in this sector.
The education sector is by far the most exposed, with tens of thousands of assets in Philadelphia, Seattle, Chicago, Los Angeles, Ann Arbor and Austin.
Exposed ICS devices
Trend Micro’s study also focused on exposed industrial systems. The top four most exposed ICS-specific protocols identified by researchers are MODBUS, BACnet, Ethernet/IP and Tridium’s proprietary Fox protocol.
In the case of MODBUS, a popular application layer protocol used for interacting with programmable logic controllers (PLCs), experts identified tens of instances in Fort Lauderdale, Houston, New York and Princeton. Many of these products were BMX processor modules from Schneider Electric.
Instances of BACnet, which is used for building automation and control, were identified in Houston, Chicago and Miami. A majority of the products come from Tridium and Trane.
PLCs made by Rockwell Automation’s Allen-Bradley accounted for a majority of the systems exposing Ethernet/IP.
During its research, the security firm also identified exposed human-machine interfaces (HMI). These systems had not been compromised, but being accessible from the Internet put them at risk. The exposed HMIs were associated with a milling machine, a roller press, a water treatment plant, a conveyor belt, an air-handling system, and a power converter.
Trend Micro has also conducted a separate study focusing on all popular Internet-connected devices in the U.S., including webcams, routers, NAS devices, phones, media players, and web and email servers. The largest number of exposed cyber assets were found in Los Angeles, Houston, Chicago, Dallas, Phoenix, San Jose and New York.
Correction: *Trend Micro incorrectly referenced Lafayette, Indiana in the report. The correct reference should be Lafayette, Louisiana.