ICSs and the Internet – what is actually happening
There were two recent news items with respect to ICSs and the Internet:
- In 2012, Eireann Leverett estimated the cost of finding industrial systems on the Internet at about $1.59 per device/machine. In 2013, Reid Wightman and Eireann looked for a specific type with known vulnerabilities and got a cost of about $0.12 per vulnerable device. The folks at SCADA Strangelove mentioned they were able to find them at roughly $0.13 per vulnerable device. Last week, Jon Matherly revealed that he has added 7 ICS specific protocols to Shodan. With these 7 queries you can get 55,167 hits as of today. The economics suggests $20 for Shodan API fee /55,167 = $0.0003 per device/machine. Eireann expects it will cost less than 1 penny to find ICS devices on the Internet.
- DHS's ICS-CERT announced that hackers recently targeted and compromised a US public utility's control system. According to the DHS, the hackers broke into the utility's control system by accessing an Internet portal that employees use to sign on remotely. Apparently, the intruders mounted a "brute force" attack, guessing different password combinations until they found one that worked.
Now add the following selected (there are many more known) incidents:
In October 2013, a utility‘s substation located in a state capital had a substation device directly connected to the Internet on one side and SCADA on the other. Even worse, the device vendor’s website allowed the device to be remotely reconfigured.
In April 2014 a major utility’s renewable generation resources were controlled through inadequately secured web portals.
Project Shine found tens of thousands of ICS and ICS-related devices directly connected to the Internet. Even worse, Iran translated the Project Shine website into Farsi.
A US nuclear plant was fined for having control room computer systems used as terminals for Internet-based computer games.
The story is that MANY ICSs are connected to the Internet and it isn’t expensive to find them. ICSs continue to be connected to the Internet even though they may not be cyber secure. What’s more the new buzzwords are the “Internet of Things” and the “Industrial Internet” without defining what is really meant by “the Internet”. Be careful what you ask for - you just might get it.