Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/16/2013
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Project SHINE' Illuminates Sad State Of SCADA/ICS Security On The Net

One million ICS/SCADA devices -- and counting -- found exposed on the public Internet, researchers say

A global Internet-scanning project focused on finding SCADA/ICS equipment and systems accessible via the public Internet is discovering some 2,000 to 8,000 new exposed devices each day.

Project SHINE, which has been gathering data on SCADA/ICS devices from SHODAN for a year-and-a-half, has identified more than 1 million unique IP addresses thus far, according to Bob Radvanovsky, one of the researchers behind it. "I would say one-fourth or one-third of them are devices that could be vulnerable to malware attacks ... and buffer overflows, cross-site scripting, things of that nature," he says. "[And] we feel the majority are misconfigured or improperly configured."

This has been a common theme among other global scanning projects searching for exposed devices on the Internet. Many of these devices discovered -- everything from home routers to servers -- contain default backdoor-type access by their vendors for internal ease of use and access, including default passwords or major security holes. And the sites running these products typically are unaware of these holes or the potential dangers associated with these devices sitting exposed on the Net. They often don't even know the devices are Internet-accessible.

But locking down or securing these vulnerable devices on the Internet has been much harder than finding them. The well-publicized scanning projects by renowned researcher HD Moore haven't yielded the expected fixes. Moore says Universal Plug and Play (UPnP) devices, for example, still remain exposed on the Net despite his discovery and disclosure of some 40 to 50 million networked devices in harm's way via flaws in the pervasive UPnP protocol, which is enabled by default in most printers, routers, network-attached storage, IP cameras, media players, smart TVs, and even video game consoles.

Moore is one of the pioneers of this practice and, most recently, led his company, Rapid7, in forming a community Internet-scanning initiative called Project Sonar. The goal is to provide a way for researchers to share their data as well as to educate vendors whose products are discovered via scans -- and to raise public awareness of the vulnerability of this Internet-facing equipment.

['Project Sonar' community initiative launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]

Project SHINE has no plans to join up with Project Sonar, says Radvanovsky, who has found via the scans both traditional SCADA/ICS devices and software such as programmable logic controllers (PLCs), remote terminal units (RTUs), sensors, SCADA human machine interface (HMI) servers, and DCS, as well as relative outliers such as medical devices, traffic management systems, automotive control systems, traffic light control systems, HVAC systems, power regulators, CCTV and webcams, serial port servers, and data radios.

Radvanovsky runs the project out of his basement, and he and colleague Jake Brodsky use the online search engine SHODAN combined with their own tools to identify SCADA-specific equipment. The researchers crafted their own search terms to find those types of devices among the devices mapped in the SHODAN database. "We created our custom app that harvests data from the [SHODAN] search engine," he says. "They are all flat files right now, but we are going to need to convert to a SQL database -- there's that much data."

Much of the equipment Project SHINE has found are embedded devices, as well as Web interfaces for managing devices, for instance. "We've had some oddball scans...[control systems for] mining trucks, for example, which aren't your typical SCADA systems," Radvanovsky says.

In one case, Radvanovsky says he found an HVAC system in a building in Florida and discovered that the exposed interface could actually let someone alter the temperature settings of the system remotely via the Internet. "It was 92 degrees outside, and it was a comfortable 78 inside, and we could change" the temperature through the management interface, he says.

Rapid7's Moore, who is also the creator of Metasploit, says the SHINE Project can help determine the state of SCADA equipment on the Internet. "The SHINE project can definitely improve our understanding of vulnerabilities in Internet-facing SCADA equipment. At the moment, it isn't clear what type industries are most exposed, what vendors are better or worse than others, and or whether there are classes of vulnerabilities that span a large portion of SCADA infrastructure," Moore says. "We are seeing security researchers continue to focus on embedded systems, both SCADA and otherwise, and so far, the results have been frightening. The security of your average smartphone is decades ahead of the embedded platforms used by ICS and SCADA equipment."

Moore says Sonar's initial focus is on making data, tools, and methods available to more researchers and vendors. Rapid7 is also exploring ways to classify devices and industry sectors that are vulnerable on the Net.

Project SHINE, meanwhile, has spotted products of some big-name vendors, including Allen-Bradley, Caterpillar, Emerson, Honeywell, Mitsubishi, Phillips, Rockwell, Schneider, and Siemens. Most systems were discovered via Web, telnet, and FTP interfaces, with a growing number SNMP interfaces exposed as well.

"One word: astonishing," Radvanovsky says of what his research says about the state of SCADA/ICS security. "The asset owners of legacy infrastructure organizations do the bare minimum necessary [security-wise] to keep their environment operating," he says.

"Project SHINE more than anything else is about awareness. We want to make sure industry and government alike know ... We are constantly finding new devices. What does that tell you?" he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.