Utility assets continue to be cyber vulnerable and critical information publicly accessible

Project SHINE recently found an electric substation directly connected to the Internet. Project SHINE analysts were able to see DNP3 ports, Serial Port Server ports, Telnet interface ports, and a web page server. They discovered this via search engines without even accessing the site itself. This information is publicly collected data from the search engine. Using a plain old web browser, they were able to identify the utility, the specific substation, and circuit breakers by utility serial number. They could also (but did not) access the relay configuration mode. From there, an Aurora attack could have been triggered, with dramatic consequences for utility customer rotating equipment (e.g. data center cooling equipment, rotating machinery, generators,...). Because the substation was under 100kV, it did not require a cyber-assessment under NERC CIP.  Project Shine provided this information to DHS. It is not clear what DHS has done with this information.

Project SHINE also found dozens of wind farms directly connected to the Internet with 3 digit default passwords. The power stabilizer units were identified by manufacturer and model number. Compromising the power stabilizer units can cause damage to the turbines.  

Project SHINE was started by two utility personnel to interrogate the Shodan website for control system devices directly connected to the Internet. Project SHINE has compiled a current list of >1,000,000 internet-accessible IP addresses associated with potentially vulnerable industrial control and management systems. An article detailing the project and describing the list was translated into Persian and posted on hacker forums in January 2013.

A representative from Project SHINE will discuss the results at the October ICS Cyber Security Conference.

Joe Weiss