Wired | Kim Zetter | January 24, 2012
“MIAMI, Florida – A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.
Infrastructure software vendors and critical infrastructure owners have long maintained that industrial control systems (ICSes) — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they’re “air-gapped” from the internet — that is, they’re not online.
But Eireann Leverett, a computer science doctoral student at Cambridge University, has developed a tool that matches information about ICSes that are connected to the internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target an industrial control system.
“Vendors say they don’t need to do security testing because the systems are never connected to the internet; it’s a very dangerous claim,” Leverett said last week at the S4 conference, which focuses on the security of Supervisory Control and Data Acquisition systems (SCADA) that are used for everything from controlling critical functions at power plants and water treatment facilities to operating the assembly lines at food processing and automobile assembly plants.
“Vendors expect systems to be on segregated networks — they comfort themselves with this. They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected,” Leverett said. But how do they know?
To debunk the myth that industrial control systems are never connected to the internet, Leverett used the SHODAN search engine developed by John Matherly, which allows users to find internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could be used to hijack the systems or crash them. He used Timemap to chart the information on Google maps, along with red markers noting brand devices that are known to have security holes in them. He described his methodology in a paper (.pdf) about the project.
Leverett found 10,358 devices connected through a search of two years worth of data in the SHODAN database. He was unable to determine, through his limited research, how many of the devices uncovered were actually working systems – as opposed to demo systems or honeypots – nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities or simply ICSes that controlled things like high school lighting systems or the heat and air conditioning system in office buildings.
But Leverett said a few of the systems he investigated did actually belong to water facilities in Ireland and sewage facilities in California.He also found that only 17 percent of the systems he found online asked him for authorization to connect, suggesting that administrators either weren’t aware that their systems were online or had simply failed to install secure gateways to keep out intruders.
To avoid obtaining unauthorized access to the systems, Leverett didn’t try to connect to the systems himself but passed the information to the Department of Homeland Security last September, which took on the task of notifying the owners of systems, where they could be identified, or their ISPs. In the case of systems based overseas, DHS worked with some dozens of CERTs (Computer Emergency Response Teams) in those countries to notify ISPs and device owners.
Leverett’s tool shows how easy it is for a dedicated attacker or just a recreational hacker to find vulnerable targets online to sabotage.”