Control System Internet Accessability
Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. In many cases, these control systems were designed to allow remote access for system monitoring and management. All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often readily available in public space documentation. In all cases, ICS-CERT has worked with these organizations to remove default credentials and strengthen their overall security.
Recent examples of these are:
- In February 2011, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to multiple utility companies' Supervisory Control and Data Acquisition (SCADA) systems. Mr. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that many systems were using default user names and passwords.
- In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.
- In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response has included international partners and approximately 63 other CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet.
- In November 2011, another individual claimed to have directly accessed an Internet facing control system. The report indicated that the individual gained access using default username and password. ICS-CERT notified the affected control system owner and advised the owner to disconnect the control system from the Internet and reconfigure the remote access security. ICS-CERT also coordinated with the SCADA vendor to provide the owner detailed instructions for removing the default logon account.
