SCADA Shodan

All ICS are not created equal — at least not from an impact to the critical infrastructure. There is a tendency to treat every ICS vulnerability or ICS security issue as a dire impact to a nation’s critical infrastructure. Those responsible for securing the critical infrastructure don’t have the bandwidth to address every ICS security issue and probably shouldn’t unless a government believes they are an adjunct to every companies’ security department.

The latest and largest example are the worthy efforts by Project SHINE, Eireann Leverett (see his S4 presentation) and other researchers to highlight the problem that a large number of insecure ICS devices are accessible from the Internet. Project SHINE has found over 500,000 Internet accessible ICS devices in six months, so there is no disputing this is a security issue for a large number of companies and organizations.

The question is what should be done about this? Particularly what should a government organization responsible for homeland security, such as DHS, do about this? Finding who owns these devices is not easy and the numbers would require either staffing up or allocating a significant percentage of ICS-CERT or other DHS resources to this problem.

Almost all of these systems are not what the US Government would label as critical infrastructure ICS (let’s say the top 1000 if such a list exists). This is self evident in that even if all 1000 had Internet accessible connections it would only amount to .2% of the SHINE findings. In our experience, which admittedly is limited based on our size and working with ICS that pay for security consultants, ICS that a consensus would consider critical infrastructure are not Internet accessible. This has been true for about five years now. I’m not arguing that critical infrastructure ICS are adequately secured, but their being Internet accessible is not one of the significant problems. Therefore if DHS is focused on securing ICS that run the critical infrastructure than tracking down the SHINE identified devices would be highly inefficient risk reduction.

DHS or other government organizations can and are doing a good job highlighting this widespread problem and the risk associated with it. These organizations are well suited for this security awareness role because of the respect and attention they garner from the media and business. I’d argue this is efficient risk reduction if Alerts and presentations raise awareness and result in thousands of ICS owner/operators looking for Internet accessible ICS devices.

So what happens with the SHINE and other data? Like any disclosure it is purely up to the discoverer. They could post the information for owner/operators to view on a public or private forum. They could try the Herculean effort to contact the device owners, and this actually may happen. The SHINE team is beginning discussions with EnergySec to assign this task to an EnergySec Working Group. The Shodan and SHINE researchers are passionate about getting ICS devices off the Internet so I wouldn’t doubt their success.

Let me leave you with another, more difficult example. Billy Rios and Terry McCorkle found a large number of freely downloadable HMI and EWS, and they found these applications fraught with vulnerabilities when subjected to Active X and form field fuzzing. They turned over hundreds of vulnerabilities to ICS-CERT, partially because they didn’t want to deal with the huge amount of work in coordinating these with the affected vendors. By the same all ICS are not equally critical argument, ICS-CERT should be identifying which of these applications are used in the critical infrastructure and focusing on those. The applications not used in the critical infrastructure should get some streamlined handling process that takes much less time.