A search engine that indexes servers and other Internet devices is helping hackers find industrial control systems vulnerable to tampering, the U.S. Computer Emergency Readiness Team (US-CERT) warned.
The year-old site known as Shodan makes it easy to locate Internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.
The Industrial Control Systems division of US-CERT (ICS CERT) said that is exactly what some are doing to discover poorly configured SCADA systems.
The warning reads in part: “In most cases, the affected control system interfaces were designed to provide remote access for monitoring system status and/or certain asset management features (i.e., configuration adjustments). The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems. These systems have been found to be readily accessible from the Internet and with tools, such as SHODAN, the resources required to identify them has been greatly reduced.
“In addition to the increased risk of account brute forcing from having these systems available on the Internet, some of the identify systems continue to use default user names and passwords and/or common vendor accounts3for remote access into these systems. These default/common accounts can in many cases be easily found in online documentation and/or online default password repositories. Control System owners and operators are advised to audit their control systems — whether or not directly connected to the Internet — for the use of default administrator level user names and passwords.”
- Placing all control systems assets behind firewalls, separated from the business network
- Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access
- Removing, disabling, or renaming any default system accounts (where possible)
- Implementing account lockout policies to reduce the risk from brute forcing attempts
- Implementing policies requiring the use of strong passwords
- Monitoring the creation of administrator level accounts by third-party vendors
Short for Sentient Hyper-Optimized Data Access Network, Shodan contains information about routers, servers, load balancers and other hardware attached to the Internet. Its database came about by indexing metadata contained in the headers the hardware broadcasts to other devices. Searches can filter by port, hostname and country.