Hackers are using the Shodan computer search engine to find Internet-facing SCADA systems using potentially insecure mechanisms for authentication and authorization, according to a warning from ICS-CERT.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said the exposed SCADA systems span several critical infrastructure sectors and vary in their deployment footprints.
From the ICS-CERT warning (PDF):
In most cases, the affected control system interfaces were designed to provide remote access for monitoring system status and/or certain asset management features (i.e., configuration adjustments). The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems. These systems have been found to be readily accessible from the Internet and with tools, such as SHODAN, the resources required to identify them has been greatly reduced.
In addition to the increased risk of account brute forcing from having these systems available on the Internet, some of the identify systems continue to use default user names and passwords and/or common vendor accounts3 for remote access into these systems. These default/common accounts can in many cases be easily found in online documentation and/or online default password repositories. Control System owners and operators are advised to audit their control systems —whether or not directly connected to the Internet— for the use of default administrator level user names and passwords.
Shodan, which stands for Sentient Hyper-Optimized Data Access Network, is the "Google for hackers." It is essentially a search engine for servers, routers, load balances and computers. Shodan's database contains devices identified by scanning the Internet for the ports typically associated with HTTP, FTP, SSH, and Telnet.
According to ICS-CERT, Shodan searches can be filtered by port, hostname, and/or country. Search results include information like HTTP server responses to GET requests, FTP and Telnet service banners and client/server messages exchanged during login attempts, and SSH banners (including server versions).
Now that it's clear that Shodan exposes insecure SCADA systems, the response group recommends the following:
- Place all control systems assets behind firewalls, separated from the business network
- Deploy secure remote access methods such as Virtual Private Networks (VPNs) for remote access
- Remove, disable, or rename any default system accounts (where possible)
- Implement account lockout policies to reduce the risk from brute forcing attempts
- Implement policies requiring the use of strong passwords
- Minotor the creation of administrator level accounts by third-party vendors