Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert about control systems that are accessible from the Internet. This is a follow-up alert to one that they published last year in October when news of the SHODAN search engine became widely available.
Since that earlier alert was published a number of security researchers have contacted ICS-CERT with detailed information about real-life control systems that they have found using tools like SHODAN. The summary data provided in this alert is scary. They include:
• February 2011; a number of electrical utilities remote access links were discovered on-line, many still using default usernames and passwords;
• April 2011; 75 Internet facing control systems from the water sector; again many using default logon credentials; and
• September 2011; several thousand Internet facing control systems in 63 different countries;
In these cases ICS-CERT coordinated with vendors and system owners to reduce the threat from these readily found vulnerabilities. But, like just about any other security system vulnerability, they only know how many systems that they have found, not the actual number of vulnerable systems. And someone could be locating those systems right now and planning their unwanted penetration testing of the identified systems.
Use of Search Engine Tools
Shortly after the original alert came out last year I did a blog posting on how these search engine tools could be used in protecting industrial control systems from potential attacks. According to this alert, while ICS-CERT hasn’t actually been using these tools themselves to search for vulnerable systems, they certainly seem to have been proactive in using data provided by researchers who used these tools to actively search for internet facing systems.
With the known proliferation of SCADA systems and devices that have design components that include potential Internet connectivity, I think that any cybersecurity manager worthy of the title should periodically conduct (or have conducted by appropriate security vendors) searches for internet facing devices in their control systems.
Regulated SCADA systems (which currently only include NERC and CFATS programs) should be required to periodically conduct such searches. Any agency reviews of the security of such systems should routinely include an agency conducted search for Internet facing systems and an evaluation of the security measures in place to protect the detected devices.
Last year’s ICS-CERT alert notified the control system industry of the problem. This report clearly identifies the extent of the problem. The ICS security community now has no excuse for not proactively using these tools to detect, correct and protect their systems from potential attack via open access of their systems and devices to the Internet.