Yesterday the DHS ICS-CERT updated a generic control system alert that they originally released last February. This update provides a new piece of threat information and a suggestion for using that information to strengthen industrial control systems.
The alert notes that some unnamed researchers had approached ICS-CERT with information on “a list of more than 500,000 control systems-related devices using supervisory control and data acquisition (SCADA) and other ICS-related search terms” (page 1). Since SHODAN only finds systems that provide at least a minimal face to the Internet, this means that there are at least 500,000 internet-facing control system devices; so much for having control systems isolated from the internet.
The alert goes on to explain that ICS-CERT is trying to “to notify the owners of the identified IP addresses” but it doesn’t take much imagination to figure out that this might take some time. And then there are the addresses that they has no intention of notifying (Iwould guess that devices in Syrian chemical weapons manufacturing sites or Iranian uranium enrichment plants probably would not get the call for example).
In the meantime the second addition in the update is the recommendation that owners use SHODAN as a tool to determine if any of their equipment shows up in the search. This would help them determine which parts of their system need immediate attention. This is not a new idea, I suggested this almost a year ago.
The Real Reason for the Update?
Now I don’t want to be accused of looking for devious alternative reasons for ICS-CERT doing things, but the SHODAN information in this alert isn’t really new. Okay, the ‘500,000’ number is higher than I’ve seen before, but ICS-CERT did an alert specifically on the SHODAN threat in December of last year. Other than the number of detected systems there is nothing in this update that wasn’t better explained in the other alert. Maybe they should have updated that SHODAN alert not this one.
Sharp eyed readers will note that the original issuance of this alert came just after Dale Peterson’s Project Basecamp produced some exploits for number of serious ICS vulnerabilities in PLCs and their communications links. It seems odd that today was the day that Reid Wightman posted a blog on Dale’s DigitalBond [Corrected improper link; 10-26-12 4:21 pm EST] site concerning the latest tools to be used to exploit the last of the Basecamp vulnerabilities.
Interestingly, the CoDeSys vulnerabilities that these tools address are actually a bigger problem in many ways than the problems Dale’s folks identified in the other systems. The reason is that, according to Reid, over 260 vendors use the affected CoDeSys software in their systems. I haven’t seen a list of the affected vendors, but I think that we can safely assume that some significant number of them have never told their customers about the CoDeSys components in their systems. Who knows how many will ever tell their customers about these vulnerabilities. I am sure that ICS-CERT is not going to produce an alert/advisory for each of those affected systems.
Now there is already an alert on the CoDeSys vulnerabilities reported at Project Basecamp. Normally I would expect to see an update on that alert this afternoon, but ICS-CERT has been treating vulnerabilities identified by Reid a bit strange of late. If we don’t see an update later today, then I’m really going to suspect that this update is an attempt to cover the appropriate bases without giving Reid any credit.