Researchers Can Locate Vulnerable SCADA Systems via Public Search Engine

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a security alert to SCADA systems operators, integrators and vendors, that such vulnerable systems can be easily located online through a public search engine.

"The ICS-CERT has recently received several reports from multiple independent security researchers who have employed the SHODAN search engine to discover Internet facing SCADA systems using potentially insecure mechanisms for authentication and authorization," the organization writes in its notification [pdf].

The Supervisory Control and Data Acquisition (SCADA) systems are used to manage and monitor critical equipment in power and water plants, gas and oil refineries, factories and other industrial facilities.

Security experts believe that attacks against SCADA systems will significantly increase in the upcoming years and that malware development will also take this direction.

Vendors have long relied on the obscurity of such systems to keep them protected from cyber attacks and Stuxnet has demonstrated that they are largely unprepared to quickly respond to such threats.

SHODAN is a search engine focused on finding computers, such as those running a particular software or generating a particular type of traffic.

The service indexes meta-data contained in request headers and can be used to find routers, servers and so on, using a variety of advanced filters.

ICS-CERT notes that most vulnerable SCADA systems located with SHODAN were improperly configured for remote monitoring or management.

Unfortunately, most of them still used default accounts and passwords, which can easily be learned by attackers from official documentation.

"The identified systems span several critical infrastructure sectors and vary in their deployment footprints. ICS-CERT is working with asset owners/operators, Information Sharing and Analysis Centers (ISACS), vendors, and integrators to notify users of those systems about their specific issues," the group said.

ICS-CERT recommends the adoption of Virtual Private Network (VPN) solutions for remote management purposes and isolating such systems from regular business networks via internal firewalls.

Furthermore, all default credentials should be changed when possible and account lockout policies should be implemented in order to block brute force password guessing attacks.