In the wake of the hack of water and sewer infrastructure operated by a Texas community, the Department of Homeland Security is again warning owners and operators of critical infrastructure to take note of SCADA and industrial control systems that may be accessible from the Internet.
DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reiterated a warning from last year that such systems can be detected by a new breed of Internet scanners such as Sh0dan (PDF), citing an “uptick in related activity” by researchers, and evidence that “thousands” of ICS systems may be discoverable.
ICS CERT is urging ICS asset owners and operators to audit the configuration of their systems and make sure they cannot be discovered using an Internet based scanning tool.
The warning comes weeks after an unknown hacker using the handle “pr0f” claimed responsibility for the compromise of a sewage treatment system operated by the community of South Houston, Texas. In an interview with Threatpost, pr0f said that he used a custom-built scanner that searched for systems running Siemens Simatic HMI (Human Machine Interface) software and that was accessible from the public Internet. After finding such a system operated by South Houston, pr0f was able to access it by breaking a three character password used to secure an administrative account.
The ICS-CERT warning lists five reports so far in 2011 of SCADA and ICS systems exposed using scanners like Sh0dan or similar tools. Though South Houston is not mentioned by name, the alert does describe a November incident in which an individual accessed an Internet facing control system using the default user name and password which is almost identical to the South Houston hack. It also calls attention to a September report by independent researcher Eireann Leverett of “several thousand” Internet devices discovered using Sh0dan.
Typically, industrial control systems are given access to the Internet so that they can be remotely managed and monitored, the alert says. Unfortunately, critical infrastructure operators frequently fail to secure such systems using a firewall or even hardened user name and password, making them easy prey for malicious hackers.
In an article for Threatpost in November, 2010, Sh0dan creator John Matherly said that his tool was “just scratching the surface of unprotected or misconfigured SCADA devices.”
“Since it mostly looks for ccomputers running a web server, it misses any device that relies on a custom daemon operating on a different port. That doesn’t mean that such systems are undiscoverable. It just means that Shodan isn’t looking for them. And, of course, the search engine merely finds systems. It doesn’t expose the myriad of bad security practices that seem to be rampant amongst vendors and operators.”
Matherly advised SCADA system owners and operators to take a few, simple security precautions such as deploying security around the critical systems in layers that include virtual private network (VPN) software for remote access, strong passwords, firewall, and hardening of the device itself.