Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/16/2013
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Project SHINE' Illuminates Sad State Of SCADA/ICS Security On The Net

One million ICS/SCADA devices -- and counting -- found exposed on the public Internet, researchers say

A global Internet-scanning project focused on finding SCADA/ICS equipment and systems accessible via the public Internet is discovering some 2,000 to 8,000 new exposed devices each day.

Project SHINE, which has been gathering data on SCADA/ICS devices from SHODAN for a year-and-a-half, has identified more than 1 million unique IP addresses thus far, according to Bob Radvanovsky, one of the researchers behind it. "I would say one-fourth or one-third of them are devices that could be vulnerable to malware attacks ... and buffer overflows, cross-site scripting, things of that nature," he says. "[And] we feel the majority are misconfigured or improperly configured."

This has been a common theme among other global scanning projects searching for exposed devices on the Internet. Many of these devices discovered -- everything from home routers to servers -- contain default backdoor-type access by their vendors for internal ease of use and access, including default passwords or major security holes. And the sites running these products typically are unaware of these holes or the potential dangers associated with these devices sitting exposed on the Net. They often don't even know the devices are Internet-accessible.

But locking down or securing these vulnerable devices on the Internet has been much harder than finding them. The well-publicized scanning projects by renowned researcher HD Moore haven't yielded the expected fixes. Moore says Universal Plug and Play (UPnP) devices, for example, still remain exposed on the Net despite his discovery and disclosure of some 40 to 50 million networked devices in harm's way via flaws in the pervasive UPnP protocol, which is enabled by default in most printers, routers, network-attached storage, IP cameras, media players, smart TVs, and even video game consoles.

Moore is one of the pioneers of this practice and, most recently, led his company, Rapid7, in forming a community Internet-scanning initiative called Project Sonar. The goal is to provide a way for researchers to share their data as well as to educate vendors whose products are discovered via scans -- and to raise public awareness of the vulnerability of this Internet-facing equipment.

['Project Sonar' community initiative launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]

Project SHINE has no plans to join up with Project Sonar, says Radvanovsky, who has found via the scans both traditional SCADA/ICS devices and software such as programmable logic controllers (PLCs), remote terminal units (RTUs), sensors, SCADA human machine interface (HMI) servers, and DCS, as well as relative outliers such as medical devices, traffic management systems, automotive control systems, traffic light control systems, HVAC systems, power regulators, CCTV and webcams, serial port servers, and data radios.

Radvanovsky runs the project out of his basement, and he and colleague Jake Brodsky use the online search engine SHODAN combined with their own tools to identify SCADA-specific equipment. The researchers crafted their own search terms to find those types of devices among the devices mapped in the SHODAN database. "We created our custom app that harvests data from the [SHODAN] search engine," he says. "They are all flat files right now, but we are going to need to convert to a SQL database -- there's that much data."

Much of the equipment Project SHINE has found are embedded devices, as well as Web interfaces for managing devices, for instance. "We've had some oddball scans...[control systems for] mining trucks, for example, which aren't your typical SCADA systems," Radvanovsky says.

In one case, Radvanovsky says he found an HVAC system in a building in Florida and discovered that the exposed interface could actually let someone alter the temperature settings of the system remotely via the Internet. "It was 92 degrees outside, and it was a comfortable 78 inside, and we could change" the temperature through the management interface, he says.

Rapid7's Moore, who is also the creator of Metasploit, says the SHINE Project can help determine the state of SCADA equipment on the Internet. "The SHINE project can definitely improve our understanding of vulnerabilities in Internet-facing SCADA equipment. At the moment, it isn't clear what type industries are most exposed, what vendors are better or worse than others, and or whether there are classes of vulnerabilities that span a large portion of SCADA infrastructure," Moore says. "We are seeing security researchers continue to focus on embedded systems, both SCADA and otherwise, and so far, the results have been frightening. The security of your average smartphone is decades ahead of the embedded platforms used by ICS and SCADA equipment."

Moore says Sonar's initial focus is on making data, tools, and methods available to more researchers and vendors. Rapid7 is also exploring ways to classify devices and industry sectors that are vulnerable on the Net.

Project SHINE, meanwhile, has spotted products of some big-name vendors, including Allen-Bradley, Caterpillar, Emerson, Honeywell, Mitsubishi, Phillips, Rockwell, Schneider, and Siemens. Most systems were discovered via Web, telnet, and FTP interfaces, with a growing number SNMP interfaces exposed as well.

"One word: astonishing," Radvanovsky says of what his research says about the state of SCADA/ICS security. "The asset owners of legacy infrastructure organizations do the bare minimum necessary [security-wise] to keep their environment operating," he says.

"Project SHINE more than anything else is about awareness. We want to make sure industry and government alike know ... We are constantly finding new devices. What does that tell you?" he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.