Industrial control system users beware: There is an uptick in the computer search engine SHODAN locating Internet facing control systems.
That means owners and operators should audit their control systems configurations and verify whether or not they are susceptible to an attack via this vector, said a report from the ICS-CERT.
ICS-CERT is tracking and has responded to multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems.
ICS-CERT coordinated this information with the identified control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack.
The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.
Internet facing control systems are in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. In quite a few cases, these control systems allow remote access for system monitoring and management. All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often readily available in public space documentation. In all cases, ICS-CERT worked with these organizations to remove default credentials and strengthen their overall security.
Some case histories:
• In February 2011, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated quite a few of the systems were using default user names and passwords.
• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked to notify affected control system owners and operators. A majority of the control systems had their remote access configured with default logon credentials.
• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices he discovered using SHODAN. To date, this response has included international partners and approximately 63 other CERTs in the effort to notify the identified control system owners and operators their control systems/devices are out there on the Internet.
• Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources.
ICS-CERT recommends control system owners and operators audit their control systems—whether or not they think their control systems connect to the Internet or not. This way they can discover and verify removal of any default administrator level user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.
Owners and operators can also perform a comprehensive control system cyber security assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET). CSET is a free, downloadable, stand alone software tool designed to assist owners and operators to:
1. Determine their current security posture
2. Identify where security improvements can/should be made
3. Map out the existing component/network configuration
4. Output a basic cyber security plan.