10,358 Industrial Control Systems Connected to the Internet

Friday, January 27, 2012

Joel Harding

94ae16c30d35ee7345f3235dfb11113c

For years, there was no call for security testing for Industrial Control Systems which connected much of our critical infrastructure, because they did not connect to the internet. 

Now, Eireann Leverett, a doctoral student in Computer Science at Cambridge University, has demonstrated that this claim is patently false, according to an article at Wired.com.

Using the Shodan search engine, Mr. Leverett spent two years poring over the data he found, exposing water and sewage plants physically connected to the internet.

SCADA devices are widely known for their vulnerabilities, with them connected to the internet, any nation state or rogue groups of hackers could easily bring portions of a country to its knees.

We are vulnerable to cyber attacks, perhaps even a cyberwar.  Will this new cyber threat be properly addressed by our governments?

Wisely, Mr. Leverett shared his findings with DHS and others before publishing his findings and briefing them at the S4 Conference

Hackers, however, rely upon human error to allow them to penetrate many systems because systems administrators fail to secure their systems. Many of the owners of the systems were not even aware their system was hooked up to the internet.

This should be cause for alarm for governments and citizens alike. The critical infrastructure upon which we rely for many of our basic needs has been wide open for years, vulnerable to nefarious elements.

I am certain not all the connected systems were found.  How long will we accept “we don’t need to upgrade our security because we’re not connected"?

Cross-posted from To Inform is to Influence

Possibly Related Articles:
15428
SCADA
Industrial Control Systems
SCADA Shodan Cyberwar internet Infrastructure National Security ICS Industrial Control Systems Joel Harding S4 Conference Eireann Leverett
Post Rating I Like this!
5cbe1364caf51f95cac6484a832d66d0
Bob Radvanovsky Since the release and distribution of Eireann's research whitepaper, I have been actively gathering similar statistics from SHODAN. The numbers are growing - daily - with increased findings of new devices to search for. At latest count, I have found slightly over 400 searchable keyword(s) (some of which are included within Eireann's research whitepaper, many discovered on my own), and statistics are staggering.

To date, the count is not-quite 56,000 devices that contain control systems, building automation systems, smartgrid devices, and devices supporting control systems (such as serial-to-Ethernet converters, routers, industrial-grade network switches, etc.).

The total count is not-quite 14,000 devices that are clearly "control systems", and this number is growing daily. This number represents approx. 36.25% of the total number of devices found on SHODAN.

I am currently developing a deadhead and zombie checker of the almost-56,000 devices found, to determine which devices are "dead" (deadhead), and which ones have re-emerged as "online" (zombie). This should provide more useful and accurate statistics as to the impact of SHODAN.

Of the almost-56,000 devices, I would suspect somewhere between 25-30% will be "offline" or "dead". if this number is higher, there are a number of speculations which may indicate for their reasons for being "offline".

Before anyone asks about where I got these statistics, like Eireann, I discovered most of them on my own. Additionally, these statistics are NOT for public disclosure, so I will NOT provide any of these statistics at anyone's request. Just know that I am quietly collecting data from my private "sonar net"...more to come...
1337720449
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.