UPDATED: ICS-CERT, the emergency response team for industrial control systems, has warned companies that run SCADA (Supervisory Control and Data Acquisition) software that the systems running it may be easily discovered using a free Web based search engine dubbed Shodan.

The warning came in the form of an ICS-CERT Alert, published on October 28. The group, which is part of US-CERT, warns that “multiple independent security researchers” have reported using SHODAN to discover Internet facing SCADA systems in “several critical infrastructure sectors.”

The systems discovered range from systems used for remote access and monitoring, but also include systems with the ability to directly manage configuration of SCADA systems. Vulnerable devices range from a stand alone workstation to “larger wide area network configurations connecting remote facilities to central monitoring systems.”

Shodan is a Web based search engine that discovers Internet facing computers,including desktops, servers and routers. The engine, created by programmer John Matherly, allows users to filter searches for systems running a specific type of application (say, Apache Web servers or FTP) and filter results by geographic region. The search engine indexes host ‘banners,’ which include
meta-data sent between a server and client and includes information such as the type of software run, what services are available and so on. 

The Shodan engine isn’t discovering SCADA systems that were previously inaccessible from the public Internet. Rather, it greatly lowers the technical bar needed to canvas the Internet for such systems, ICS-CERT said.

ICS-CERT is coordinating with the affected software vendors and Information Sharing and Analysis Centers (ISACS) for affected verticals to resolve the specific security issues reported to the center. However, the steep increase in reporting about publicly accessible SCADA systems prompted ICS-CERT to issue a general warning to all critical infrastructure operators.

Some of the systems discovered are still insecure passwords that are easy targets for brute force attacks. Other systems reported to the CERT were found to still use default passwords that can be retrieved from product documentation or online default password repositories, the Alert warned.

The illusion of security through obscurity is fast fading for companies that manage critical infrastructure such as power plants, electric distribution grids, and water treatment facilities. The recent Stuxnet worm, which was created to manipulate programmable logic controllers used by Siemens, Inc., signalled the advent of threats targeted specifically at SCADA systems. That has set off a scramble for SCADA security talent among IT vendors. Security experts say that the critical infrastructure sector is still dangerously uninformed about modern threats and attacks, still counting on the obscurity of SCADA systems to keep them safe from attack.

“The simple answer is
that anything of critical importance should never be connected to the Internet. Ever.” said Shodan creator Matherly in an e-mail to Threatpost. “As the recent Siemens incident shows, many of these systems
have glaring security problems or don’t have proper security teams in place.”

Control system operators were advised to conduct an audit their existing systems, including those not directly connected to the Internet, to make sure that no weak or default passwords are being used. In addition, operators are advised to place any control systems behind firewalls and to isolate them from business networks. Virtual Private Networks (VPN) should be used for remote access to such systems and strong passwords and access management strategies should be employed, the Alert says.

Categories: Compliance, Data Breaches, Government, Malware, Social Engineering, Vulnerabilities

Comments (4)

  1. SCADA_FAIL
    1

    Isn’t the bottom line issue here the miserable engineering of these systems lack of a firewall. Setting appliances directly facing the web with no firewall.  IPCop could protect a scada box.  Albeit NETBSD might be better, If the SCADA system operators are too lazy to put up the most basic security they have only to blame themselves.  It’s certainly not a reason for Obama to “shut down the web”  or any of that ratcheting up cybercrime nonsense. It is reason for someone to cut off the web access with a pair of wire cutters and then manually babysit whatever it is. These people keep crying wolf, and when the REAL problems happen they’re clueless, and nobody believes them. 

  2. Anonymous
    3

    There’s a difference between a SCADA system that controls things in the real world, and a viral/malware outbreak in the virtual world.

    It’s debatable which is more serious, but a SCADA system has greater potential for causing a physical threat which can impact other people than the operator.

     We need to keep the risks in sight, and secure appropriately.

  3. Brian
    4

    Press Release:

     

    The
    New
    RAGE is Here

     

     Restricted Access Global Environment That is Only Accessible through Biometrics

     

     

    Annapolis,
    MD July 1, 2011 –
    SAFE Age Corporation announces the introduction
    of the RAGE;
    providing the new age of
    secure Internet use and access. The RAGE
    is a patented
    Restricted Access Global Environment
    that is unlike the Internet environment we use today.  It can only be accessed by a biometrically verified
    user with a biometric sign-on device. Users are biometrically verified through
    high levels of encryption and can then gain access to any account or online
    venue that would usually require a user name, password, PIN, or token. This state-of-the-art
    technological advancement is unique in that it is impenetrable; eliminating any
    unauthorized use, fraud or data theft. There is now no need for user names,
    passwords, PINs, or sign-on tokens.

    Data security is crucial for
    all levels of business, government, and national defense.  Today’s systems contain sensitive data that
    is virtually useless if it is not properly protected.  Hackers, thieves, and intruders are rampant
    and constantly threatening the security of these systems we rely on.  Identity theft ruins lives on a daily basis
    and cyber security is now a major necessity for all. SAFE Age is proud to offer
    the solutions to these vexing problems. 

    The new RAGE
    provides secure access to an infinite number of applications that require a protected
    sign-on to a secure environment.  Users
    can safely conduct any form of commerce, data capture, or secure intelligence
    with the RAGE. There is a significant difference
    from the internet that we currently use, in that the RAGE is a self contained,
    independent, global network that requires biometric access for user
    verification. The biometric devices can be issued to anyone. Individuals or businesses
    can use these devices eliminating the need of issuing user names and passwords
    for accounts. This eliminates access to accounts after business hours or after
    employee/contract termination. Also, an authorized account owner can give a
    remote user access to an account, or data vault, through deployment of
    biometric sign-on devices anywhere in the world. Our patented encrypted
    biometric devices can be activated and/or de-activated at anytime globally. 

    To learn more about The RAGE
    and how it can assist you in keeping your data safe and secure, please contact
    Safe Age at: brian@safeage.net or
    443-223-3888.

Comments are closed.