A number of loyal readers have been sending in examples of vulnerable, Internet accessible control systems. The example below from Patrick Stave of Norway is representative of what we are receiving. In this case, I 100% agree with ICS-CERT that if you have your SCADA or DCS on the Internet, you are facing an increased risk.
Check out Shodan for “NS web interface”.
This is a HMI-panel with remote operation from Omron.
Runs on 1980s Microware OS9 operating system.
Default user details (actually they are difficult to change!):
Only operation mode requires authentication.
All panels where the password has been changed can still be monitored on URL /monitor.htm
Also some of theese can be altered with the engineering software CX-designer over web without authentication (of course a result of port forwarding from the user).
Also the panel can be used as a gateway to connect to the PLC and visa-versa.
Have found several examples of PLCs directly configurable / controlled over internet without authentication.
Patrick then provided some screenshots showing some displays:
British monitoring and water feed control for a hydroelectric power plant. Accessible / controllable / programmable over the Internet, with no password.
A large water/sewage monitoring system for a county.
Italian HVAC system, both PLC and HMI fully controllable and programmable over the Internet.
To reiterate a point made in past blog entries, almost all, 95%+, critical infrastructure SCADA and DCS are not directly accessible from the Internet. An attacker would need to gain a foothold on the corporate network and then attack from there through the ICS security perimeter firewall.
That said, there are a number of municipal, county, small to medium business, SCADA and DCS on the Internet. Eireann Leverett found more than ten thousand in the research he presented at S4. Given the popularity of Shodan and other search tools, combined with the popularity of ICS security hacking, owner/operators should assume Internet connected SCADA and DCS will be probed in ways they have not the past decade.
Image by balleyne