Thousands of control systems exposed on internet: researcher

Added by on April 25, 2013

Screenshot provided by a researcher that accessed a SCADA system over the internet in 2011

Screenshot provided by a researcher that accessed a SCADA system over the internet in 2011

A researcher announced he found over 100,000 control systems exposed on the internet – control systems that are potentially critical to infrastructure, manufacturing and other systems. The control systems are referred to as Supervisory Control and Data Acquisition, or SCADA – which are not designed for exposure on the internet.

“The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become,” said HD Moore, the researcher that made the findings.

SCADA systems became broadly known when a program called Stuxnet – a virus, was found to have sabotaged Iran’s nuclear program. The virus targeted a specific type of SCADA system and affected centrifuges used in the enrichment of uranium, used in nuclear weapons.

In a blog post explaining how the research was carried out, HD Moore said the control systems that were found are connected to the internet through serial port servers – devices designed to bridge the capability gap between modern computer networks and the often proprietary networks used by SCADA systems.

The researcher said the exposed SCADA systems did not have any security, making them vulnerable to attack via the internet.

“Many serial devices do not require authentication and instead assume that if you are physically connected to a serial port (serial port servers), you probably have the right to configure the system,” added HD Moore.

According to HD Moore, organizations that are responsible for the insecure SCADA systems also connect their systems to mobile phone networks, making detecting security vulnerabilities more difficult.

“Few organizations are aware that their equipment can be accessed through serial ports connected through mobile networks. In some cases, the organization may assume that their specific mobile configuration prevents access from the internet…” added Moore.

Of the 114,000 systems connected to the internet, 13,000 of provide a high level of access to any attacker that connects to the systems.

The researcher offered a number of remedies that include setting unique passwords on systems – many systems ship with default passwords that are never changed.

The researcher used a list of over 420,000 devices found by a project called the Internet Census 2012, which found the devices by performing basic scans on randomly selected network addresses. A previous and similar project identified 500,000 devices using another method.

A researcher named pr0f proved in 2011 that SCADA systems can be accessed over the internet by publishing information from a Polish waste-water treatment plant.

Detailed information about the researcher’s findings can be found on the Metasploit Project blog site.