Internet-Exposed Energy Control Systems Abound

Researchers found substations and wind farms among 2.2 million control system devices linked to the Internet. And they have yet to measure the true depth of this security exposure

2 min read
Internet-Exposed Energy Control Systems Abound
Internet-linked control systems discovered daily by Project SHINE.
Infracritical

Two-and-a-half years ago researchers at Chicago-based cyber security firm Infracritical set out to measure how many industrial control systems are openly exposed to the Internet. Their disquieting findings are up for discussion today at the 2014 ICS Cyber Security Conference in Atlanta.

Infracritical remotely identified over 2.2 million unique IP addresses linked to industrial control systems at energy-related sites including electrical substations, wind farms, and water purification plants. And they were still logging an average of 2,000-3,000 new addresses per day when they closed the count in January 2014.

"We never reached bottom," says Infracritical cofounder Bob Radvanovsky, an expert in securing supervisory control and data acquisition (SCADA) systems.

Infracritical identified more than 2.2 million unique IP addresses linked to industrial control systems at electrical substations, wind farms and other energy infrastructure

It has long been known that many infrastructure control systems are connected to the Internet. Radvanovsky, a self-professed critical infrastructure evangelist and cyber security mad scientist, and his colleague Jacob Brodsky are among the first to measure that vulnerability and to risk legal attack by naming the vendors whose equipment shows up.

To get answers they relied on a publicly-accessible search engine called Shodan that sniffs out and catalogues Internet-connected devices. Infracritical's project SHINE (for SHodan INtelligence Extraction) built search queries for Shodan using the names of 182 SCADA suppliers and their leading products. 

Additional SHINE search terms sought out devices that hackers have used as back-doors to sensitive networks, such as the industrial air conditioning controls linked to the cyber-breach at retailer Target that compromised 70 million credit cards last year.

'We never reached bottom'

The list of discoverable devices documented by SHINE reads like a who's-who of top manufacturers, including SCADA and energy management system vendors Siemens, EnergyICT, and Honeywell. Many devices revealed not only their presence but also hardware and firmware metadata that could help a hacker zero in on documented security flaws. 

Radvanovsky acknowledges that shifting IP addresses mean there is some duplication in SHINE's count. But he argues that new devices accounted for most of ongoing detections during SHINE's 21.5-month search, and their resulting inability to establish a baseline number of exposed devices.

For one thing, Radvanovsky and Brodsky continued adding search terms during the project as they became aware of additional vendors or as vendors added products. 

In less than two hours the honeypot was subjected to an attack. By day three, they’d counted more than 4,000 attacks

Shodan's limitations may also have slowed the discovery of both new and pre-existing devices. Though Shodan has been running since 2009, it has what Radvanovsky describes as a "very slow and methodical" ingestion process. "Shodan is not aggressive like Google. That leads us to believe that not all devices have been encountered," says Radvanovsky.

At today's talk Radvanovsky planned to discuss a new project that measures the pressure facing Internet-exposed devices. Initiated last Monday, Infracritical's RUGGEDTRAX project provides a honey-pot for hackers: a Siemens Ruggedcom serial-to-Ethernet converter, whose web interface is "lightly configured" in keeping with the devices discovered through project SHINE.

"In less than two hours it was subjected to a brute force attack from IP addresses appearing to be originating in China. By Thursday morning we'd counted over 4,000 attacks," says Radvanovsky. 

The Conversation (0)

Smokey the AI

Smart image analysis algorithms, fed by cameras carried by drones and ground vehicles, can help power companies prevent forest fires

7 min read
Smokey the AI

The 2021 Dixie Fire in northern California is suspected of being caused by Pacific Gas & Electric's equipment. The fire is the second-largest in California history.

Robyn Beck/AFP/Getty Images

The 2020 fire season in the United States was the worst in at least 70 years, with some 4 million hectares burned on the west coast alone. These West Coast fires killed at least 37 people, destroyed hundreds of structures, caused nearly US $20 billion in damage, and filled the air with smoke that threatened the health of millions of people. And this was on top of a 2018 fire season that burned more than 700,000 hectares of land in California, and a 2019-to-2020 wildfire season in Australia that torched nearly 18 million hectares.

While some of these fires started from human carelessness—or arson—far too many were sparked and spread by the electrical power infrastructure and power lines. The California Department of Forestry and Fire Protection (Cal Fire) calculates that nearly 100,000 burned hectares of those 2018 California fires were the fault of the electric power infrastructure, including the devastating Camp Fire, which wiped out most of the town of Paradise. And in July of this year, Pacific Gas & Electric indicated that blown fuses on one of its utility poles may have sparked the Dixie Fire, which burned nearly 400,000 hectares.

Until these recent disasters, most people, even those living in vulnerable areas, didn't give much thought to the fire risk from the electrical infrastructure. Power companies trim trees and inspect lines on a regular—if not particularly frequent—basis.

However, the frequency of these inspections has changed little over the years, even though climate change is causing drier and hotter weather conditions that lead up to more intense wildfires. In addition, many key electrical components are beyond their shelf lives, including insulators, transformers, arrestors, and splices that are more than 40 years old. Many transmission towers, most built for a 40-year lifespan, are entering their final decade.

Keep Reading ↓ Show less