UPDATED: ICS-CERT, the emergency response team for industrial control systems, has warned companies that run SCADA (Supervisory Control and Data Acquisition) software that the systems running it may be easily discovered using a free Web based search engine dubbed Shodan.
The warning came in the form of an ICS-CERT Alert, published on October 28. The group, which is part of US-CERT, warns that “multiple independent security researchers” have reported using SHODAN to discover Internet facing SCADA systems in “several critical infrastructure sectors.”
The systems discovered range from systems used for remote access and monitoring, but also include systems with the ability to directly manage configuration of SCADA systems. Vulnerable devices range from a stand alone workstation to “larger wide area network configurations connecting remote facilities to central monitoring systems.”
Shodan is a Web based search engine that discovers Internet facing computers,including desktops, servers and routers. The engine, created by programmer John Matherly, allows users to filter searches for systems running a specific type of application (say, Apache Web servers or FTP) and filter results by geographic region. The search engine indexes host ‘banners,’ which include
meta-data sent between a server and client and includes information such as the type of software run, what services are available and so on.
The Shodan engine isn’t discovering SCADA systems that were previously inaccessible from the public Internet. Rather, it greatly lowers the technical bar needed to canvas the Internet for such systems, ICS-CERT said.
ICS-CERT is coordinating with the affected software vendors and Information Sharing and Analysis Centers (ISACS) for affected verticals to resolve the specific security issues reported to the center. However, the steep increase in reporting about publicly accessible SCADA systems prompted ICS-CERT to issue a general warning to all critical infrastructure operators.
Some of the systems discovered are still insecure passwords that are easy targets for brute force attacks. Other systems reported to the CERT were found to still use default passwords that can be retrieved from product documentation or online default password repositories, the Alert warned.
The illusion of security through obscurity is fast fading for companies that manage critical infrastructure such as power plants, electric distribution grids, and water treatment facilities. The recent Stuxnet worm, which was created to manipulate programmable logic controllers used by Siemens, Inc., signalled the advent of threats targeted specifically at SCADA systems. That has set off a scramble for SCADA security talent among IT vendors. Security experts say that the critical infrastructure sector is still dangerously uninformed about modern threats and attacks, still counting on the obscurity of SCADA systems to keep them safe from attack.
“The simple answer is
that anything of critical importance should never be connected to the Internet. Ever.” said Shodan creator Matherly in an e-mail to Threatpost. “As the recent Siemens incident shows, many of these systems
have glaring security problems or don’t have proper security teams in place.”
Control system operators were advised to conduct an audit their existing systems, including those not directly connected to the Internet, to make sure that no weak or default passwords are being used. In addition, operators are advised to place any control systems behind firewalls and to isolate them from business networks. Virtual Private Networks (VPN) should be used for remote access to such systems and strong passwords and access management strategies should be employed, the Alert says.