ICS-CERT Warns Facilities of Exposure via SHODAN

Monday, December 12, 2011



ICS-CERT is reiterating a warning first issued in late 2010 regarding the exposure of critical systems that are connected to the internet.

The concerns center around the increased use of tools that may provide sensitive information that can be utilized by an attacker to compromise network security.

"ICS-CERT is tracking and has responded to multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems... In many instances, the exposed systems were unknowingly or unintentionally configured with potentially unsecure access authentication and authorization mechanisms," the ICS-CERT alert states.

ICS-CERT's concerns include the protection of networks critical to industries across numerous sectors central to national security, including supervisory control and data acquisition (SCADA) systems which provide operations control for infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

The agency has identified vulnerabilities at numerous facilities where systems have been connected to the internet in order to provide remote access and monitoring, but the access may have not been properly secured.

"In many cases, these control systems were designed to allow remote access for system monitoring and management. All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often readily available in public space documentation."

The ICS-CERT alert mentions several publicly available tools that are being utilized to expose network vulnerabilities, particularly one called SHODAN.

"The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices," ICS-CERT explained.

Over the past year, ICS-CERT has identified multiple instances of network exposure and the use of weak or default passwords at facilities governing critical infrastructure systems including:

  • In February 2011, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems. Mr. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that many systems were using default user names and passwords.
  • In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.
  • In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response has included international partners and approximately 63 other CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet.
  • In November 2011, another individual claimed to have directly accessed an Internet facing control system. The report indicated that the individual gained access using default username and password. ICS-CERT notified the affected control system owner and advised the owner to disconnect the control system from the Internet and reconfigure the remote access security. ICS-CERT also coordinated with the SCADA vendor to provide the owner detailed instructions for removing the default logon account.
  • Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources. 

ICS-CERT states that the organization actively works with the administrators of exposed systems to offer expertise, resources, and tools to mitigate the exposure, including the Cyber Security Evaluation Tool (CSET).

CSET is a desktop software package that will allow network administrators to assess currently deployed security strategies against a set of industry best practices and government standards to increase consistency on an organization's cybersecurity posture.

CSET was developed with the aid of the National Institute of Standards and Technology (NIST), the federal physical science research laboratory division of the U.S Department of Commerce.

The tool is available for download, and the program also offers training and support at no cost to organizations engaged in administering networks that control facilities identified as being crucial to both the nation's economy and national security.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-343-01.pdf

Possibly Related Articles:
SCADA Shodan Vulnerabilities Network Security Infrastructure National Security hackers Alert ICS ICS-CERT CSET Industrial Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.