Search Engine Finds Vulnerable SCADA Systems

UPDATED: ICS-CERT, the emergency response team for industrial control systems, has warned companies that run SCADA (Supervisory Control and Data Acquisition) software that the systems running it may be easily discovered using a free Web based search engine dubbed Shodan.

UPDATED: ICS-CERT, the emergency response team for industrial control systems, has warned companies that run SCADA (Supervisory Control and Data Acquisition) software that the systems running it may be easily discovered using a free Web based search engine dubbed Shodan.

The warning came in the form of an ICS-CERT Alert, published on October 28. The group, which is part of US-CERT, warns that “multiple independent security researchers” have reported using SHODAN to discover Internet facing SCADA systems in “several critical infrastructure sectors.”

The systems discovered range from systems used for remote access and monitoring, but also include systems with the ability to directly manage configuration of SCADA systems. Vulnerable devices range from a stand alone workstation to “larger wide area network configurations connecting remote facilities to central monitoring systems.”

Shodan is a Web based search engine that discovers Internet facing computers,including desktops, servers and routers. The engine, created by programmer John Matherly, allows users to filter searches for systems running a specific type of application (say, Apache Web servers or FTP) and filter results by geographic region. The search engine indexes host ‘banners,’ which include
meta-data sent between a server and client and includes information such as the type of software run, what services are available and so on. 

The Shodan engine isn’t discovering SCADA systems that were previously inaccessible from the public Internet. Rather, it greatly lowers the technical bar needed to canvas the Internet for such systems, ICS-CERT said.

ICS-CERT is coordinating with the affected software vendors and Information Sharing and Analysis Centers (ISACS) for affected verticals to resolve the specific security issues reported to the center. However, the steep increase in reporting about publicly accessible SCADA systems prompted ICS-CERT to issue a general warning to all critical infrastructure operators.

Some of the systems discovered are still insecure passwords that are easy targets for brute force attacks. Other systems reported to the CERT were found to still use default passwords that can be retrieved from product documentation or online default password repositories, the Alert warned.

The illusion of security through obscurity is fast fading for companies that manage critical infrastructure such as power plants, electric distribution grids, and water treatment facilities. The recent Stuxnet worm, which was created to manipulate programmable logic controllers used by Siemens, Inc., signalled the advent of threats targeted specifically at SCADA systems. That has set off a scramble for SCADA security talent among IT vendors. Security experts say that the critical infrastructure sector is still dangerously uninformed about modern threats and attacks, still counting on the obscurity of SCADA systems to keep them safe from attack.

“The simple answer is
that anything of critical importance should never be connected to the Internet. Ever.” said Shodan creator Matherly in an e-mail to Threatpost. “As the recent Siemens incident shows, many of these systems
have glaring security problems or don’t have proper security teams in place.”

Control system operators were advised to conduct an audit their existing systems, including those not directly connected to the Internet, to make sure that no weak or default passwords are being used. In addition, operators are advised to place any control systems behind firewalls and to isolate them from business networks. Virtual Private Networks (VPN) should be used for remote access to such systems and strong passwords and access management strategies should be employed, the Alert says.

Suggested articles



    Isn't the bottom line issue here the miserable engineering of these systems lack of a firewall. Setting appliances directly facing the web with no firewall.  IPCop could protect a scada box.  Albeit NETBSD might be better, If the SCADA system operators are too lazy to put up the most basic security they have only to blame themselves.  It's certainly not a reason for Obama to "shut down the web"  or any of that ratcheting up cybercrime nonsense. It is reason for someone to cut off the web access with a pair of wire cutters and then manually babysit whatever it is. These people keep crying wolf, and when the REAL problems happen they're clueless, and nobody believes them. 

  • Anonymous on

    exactly proves my point by nature security is an option
  • Anonymous on

    There's a difference between a SCADA system that controls things in the real world, and a viral/malware outbreak in the virtual world.

    It's debatable which is more serious, but a SCADA system has greater potential for causing a physical threat which can impact other people than the operator.

     We need to keep the risks in sight, and secure appropriately.

  • Brian on

    Press Release:


    The New RAGE is Here


     Restricted Access Global Environment That is Only Accessible through Biometrics



    Annapolis, MD July 1, 2011 – SAFE Age Corporation announces the introduction of the RAGE; providing the new age of secure Internet use and access. The RAGE is a patented Restricted Access Global Environment that is unlike the Internet environment we use today.  It can only be accessed by a biometrically verified user with a biometric sign-on device. Users are biometrically verified through high levels of encryption and can then gain access to any account or online venue that would usually require a user name, password, PIN, or token. This state-of-the-art technological advancement is unique in that it is impenetrable; eliminating any unauthorized use, fraud or data theft. There is now no need for user names, passwords, PINs, or sign-on tokens.

    Data security is crucial for all levels of business, government, and national defense.  Today’s systems contain sensitive data that is virtually useless if it is not properly protected.  Hackers, thieves, and intruders are rampant and constantly threatening the security of these systems we rely on.  Identity theft ruins lives on a daily basis and cyber security is now a major necessity for all. SAFE Age is proud to offer the solutions to these vexing problems. 

    The new RAGE provides secure access to an infinite number of applications that require a protected sign-on to a secure environment.  Users can safely conduct any form of commerce, data capture, or secure intelligence with the RAGE. There is a significant difference from the internet that we currently use, in that the RAGE is a self contained, independent, global network that requires biometric access for user verification. The biometric devices can be issued to anyone. Individuals or businesses can use these devices eliminating the need of issuing user names and passwords for accounts. This eliminates access to accounts after business hours or after employee/contract termination. Also, an authorized account owner can give a remote user access to an account, or data vault, through deployment of biometric sign-on devices anywhere in the world. Our patented encrypted biometric devices can be activated and/or de-activated at anytime globally. 

    To learn more about The RAGE and how it can assist you in keeping your data safe and secure, please contact Safe Age at: or 443-223-3888.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.