‘Project SHINE’ Illuminates Sad State Of SCADA/ICS Security On The Net
A global Internet-scanning project focused on finding SCADA/ICS equipment and systems accessible via the public Internet is discovering some 2,000 to 8,000 new exposed devices each day.
Project SHINE, which has been gathering data on SCADA/ICS devices from SHODAN for a year-and-a-half, has identified more than 1 million unique IP addresses thus far, according to Bob Radvanovsky, one of the researchers behind it. “I would say one-fourth or one-third of them are devices that could be vulnerable to malware attacks … and buffer overflows, cross-site scripting, things of that nature,” he says. “[And] we feel the majority are misconfigured or improperly configured.”
This has been a common theme among other global scanning projects searching for exposed devices on the Internet. Many of these devices discovered — everything from home routers to servers — contain default backdoor-type access by their vendors for internal ease of use and access, including default passwords or major security holes. And the sites running these products typically are unaware of these holes or the potential dangers associated with these devices sitting exposed on the Net. They often don’t even know the devices are Internet-accessible.
But locking down or securing these vulnerable devices on the Internet has been much harder than finding them. The well-publicized scanning projects by renowned researcher HD Moore haven’t yielded the expected fixes. Moore says Universal Plug and Play (UPnP) devices, for example, still remain exposed on the Net despite his discovery and disclosure of some 40 to 50 million networked devices in harm’s way via flaws in the pervasive UPnP protocol, which is enabled by default in most printers, routers, network-attached storage, IP cameras, media players, smart TVs, and even video game consoles.
Moore is one of the pioneers of this practice and, most recently, led his company, Rapid7, in forming a community Internet-scanning initiative called Project Sonar. The goal is to provide a way for researchers to share their data as well as to educate vendors whose products are discovered via scans — and to raise public awareness of the vulnerability of this Internet-facing equipment.
[‘Project Sonar’ community initiative launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]
Project SHINE has no plans to join up with Project Sonar, says Radvanovsky, who has found via the scans both traditional SCADA/ICS devices and software such as programmable logic controllers (PLCs), remote terminal units (RTUs), sensors, SCADA human machine interface (HMI) servers, and DCS, as well as relative outliers such as medical devices, traffic management systems, automotive control systems, traffic light control systems, HVAC systems, power regulators, CCTV and webcams, serial port servers, and data radios.
Radvanovsky runs the project out of his basement, and he and colleague Jake Brodsky use the online search engine SHODAN combined with their own tools to identify SCADA-specific equipment. The researchers crafted their own search terms to find those types of devices among the devices mapped in the SHODAN database. “We created our custom app that harvests data from the [SHODAN] search engine,” he says. “They are all flat files right now, but we are going to need to convert to a SQL database — there’s that much data.”
Much of the equipment Project SHINE has found are embedded devices, as well as Web interfaces for managing devices, for instance. “We’ve had some oddball scans…[control systems for] mining trucks, for example, which aren’t your typical SCADA systems,” Radvanovsky says.
In one case, Radvanovsky says he found an HVAC system in a building in Florida and discovered that the exposed interface could actually let someone alter the temperature settings of the system remotely via the Internet. “It was 92 degrees outside, and it was a comfortable 78 inside, and we could change” the temperature through the management interface, he says.
Rapid7’s Moore, who is also the creator of Metasploit, says the SHINE Project can help determine the state of SCADA equipment on the Internet. “The SHINE project can definitely improve our understanding of vulnerabilities in Internet-facing SCADA equipment. At the moment, it isn’t clear what type industries are most exposed, what vendors are better or worse than others, and or whether there are classes of vulnerabilities that span a large portion of SCADA infrastructure,” Moore says. “We are seeing security researchers continue to focus on embedded systems, both SCADA and otherwise, and so far, the results have been frightening. The security of your average smartphone is decades ahead of the embedded platforms used by ICS and SCADA equipment.”
Moore says Sonar’s initial focus is on making data, tools, and methods available to more researchers and vendors. Rapid7 is also exploring ways to classify devices and industry sectors that are vulnerable on the Net.
Project SHINE, meanwhile, has spotted products of some big-name vendors, including Allen-Bradley, Caterpillar, Emerson, Honeywell, Mitsubishi, Phillips, Rockwell, Schneider, and Siemens. Most systems were discovered via Web, telnet, and FTP interfaces, with a growing number SNMP interfaces exposed as well.
“One word: astonishing,” Radvanovsky says of what his research says about the state of SCADA/ICS security. “The asset owners of legacy infrastructure organizations do the bare minimum necessary [security-wise] to keep their environment operating,” he says.
“Project SHINE more than anything else is about awareness. We want to make sure industry and government alike know … We are constantly finding new devices. What does that tell you?” he says.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.