I’ll start with the stats: we found 1,420 Raven Airlink devices in a wireless class B network that any customer with a wireless card from the carrier could access. These are ruggedized devices with Ethernet and serial connectors used for sending monitoring and control data back from the field.
We read way too many articles about SCADA and DCS being directly connected to the Internet and using the Internet for SCADA comms. You can find examples of this, but it is very rare. There is IP connectivity from the Internet to the corporate network to the control system network with multiple levels of firewalls, but extrapolating this to state that control systems are connected to and using the Internet is a stretch.
However public networks freely accessible by unauthorized users are sneaking into a growing number of control systems over the last five years in the form of wireless networks offered by Verizon and their competitors. These carriers are specifically targeting SCADA networks in the utility sector. We first blogged on this in 2005, and it has grown in the number of offerings and popularity since then.
This wireless broadband service is very attractive compared to many other field communication offerings. The bandwidth available is a significant increase to what is typically used, but more importantly the cost savings can be huge. We have seen examples where hundreds of dollars per site per month could be saved. Once these savings have been sold to management, it is very hard to get them to stop because of security concerns.
There has been some progress. Five years ago you could ping these devices on the carrier’s networks from the Internet. Today you have to be on the carrier’s network. In our case a number of our team uses Verizon’s wireless broadband service while on the road, and this has come in handy in a number of assessments. If you are on Verizon’s network you can ping a field site static IP’s. There is still a lot of misinformation about this. More than once we have had discussions with Verizon where they did not know or believe we could ping a Raven used in SCADA with our Verizon card, and these are the tech support people advising customers. However, the gateway back at the main corporate site is often invisible to the network and seems to be hidden through the route configuration.
Another disturbing facet of the offering is carrier installs of the Raven tend to be in the default configuration with none of the security features enabled. And again in most cases they did not even know the Raven’s had security features. They actually have a very nice feature called a “Friends List” that restricts what IP addresses can connect to the Raven, and of course the default password of 12345 should be changed.
So after our experience with a few clients, we assumed there were a number of industrial users on the network. Since Raven’s are easy to fingerprint, we performed a low and slow scan of a class B network and found, with a high probability, 1,420 Raven modems. We stopped there. We did not try to login with default credentials, but I think it is safe to say most were probably in the default config. Charles with an assist from Daniel deserves credit for this work.
So should Verizon and other wireless broadband networks be used in SCADA networks? Well, it depends, and I’ll give you my thoughts on this tomorrow.