Project SHINE Illuminates Sad State Of SCADA/ICS Security On The Net

One million ICS/SCADA devices -- and counting -- found exposed on the public Internet, researchers say

A global Internet-scanning project focused on finding SCADA/ICS equipment and systems accessible via the public Internet is discovering some 2,000 to 8,000 new exposed devices each day.
Project SHINE, which has been gathering data on SCADA/ICS devices from SHODAN for a year-and-a-half, has identified more than 1 million unique IP addresses thus far, according to Bob Radvanovsky, one of the researchers behind it. I would say one-fourth or one-third of them are devices that could be vulnerable to malware attacks ... and buffer overflows, cross-site scripting, things of that nature, he says. [And] we feel the majority are misconfigured or improperly configured.
This has been a common theme among other global scanning projects searching for exposed devices on the Internet. Many of these devices discovered -- everything from home routers to servers -- contain default backdoor-type access by their vendors for internal ease of use and access, including default passwords or
major security holes
. And the sites running these products typically are unaware of these holes or the potential dangers associated with these devices sitting exposed on the Net. They often dont even know the devices are Internet-accessible.
But locking down or securing these vulnerable devices on the Internet has been much harder than finding them. The
well-publicized scanning projects by renowned researcher HD Moore
havent yielded the expected fixes. Moore says Universal Plug and Play (UPnP) devices, for example, still remain exposed on the Net despite his discovery and disclosure of some 40 to 50 million networked devices in harms way via flaws in the pervasive UPnP protocol, which is enabled by default in most printers, routers, network-attached storage, IP cameras, media players, smart TVs, and even video game consoles.
Moore is one of the pioneers of this practice and, most recently, led his company, Rapid7, in forming a community Internet-scanning initiative called Project Sonar. The goal is to provide a way for researchers to share their data as well as to educate vendors whose products are discovered via scans -- and to raise public awareness of the vulnerability of this Internet-facing equipment.
[Project Sonar community initiative launched for sharing Internet-scanning data, tools, and analysis. See
Researchers Unite To #ScanAllTheThings
.]
Project SHINE has no plans to join up with Project Sonar, says Radvanovsky, who has found via the scans both traditional SCADA/ICS devices and software such as programmable logic controllers (PLCs), remote terminal units (RTUs), sensors, SCADA human machine interface (HMI) servers, and DCS, as well as relative outliers such as medical devices, traffic management systems, automotive control systems, traffic light control systems, HVAC systems, power regulators, CCTV and webcams, serial port servers, and data radios.
Radvanovsky runs the project out of his basement, and he and colleague Jake Brodsky use the online search engine SHODAN combined with their own tools to identify SCADA-specific equipment. The researchers crafted their own search terms to find those types of devices among the devices mapped in the SHODAN database. We created our custom app that harvests data from the [SHODAN] search engine, he says. They are all flat files right now, but we are going to need to convert to a SQL database -- theres that much data.
Much of the equipment Project SHINE has found are embedded devices, as well as Web interfaces for managing devices, for instance. Weve had some oddball scans...[control systems for] mining trucks, for example, which arent your typical SCADA systems, Radvanovsky says.
In one case, Radvanovsky says he found an HVAC system in a building in Florida and discovered that the exposed interface could actually let someone alter the temperature settings of the system remotely via the Internet. It was 92 degrees outside, and it was a comfortable 78 inside, and we could change the temperature through the management interface, he says.
Rapid7s Moore, who is also the creator of Metasploit, says the SHINE Project can help determine the state of SCADA equipment on the Internet. The SHINE project can definitely improve our understanding of vulnerabilities in Internet-facing SCADA equipment. At the moment, it isnt clear what type industries are most exposed, what vendors are better or worse than others, and or whether there are classes of vulnerabilities that span a large portion of SCADA infrastructure, Moore says. We are seeing security researchers continue to focus on embedded systems, both SCADA and otherwise, and so far, the results have been frightening. The security of your average smartphone is decades ahead of the embedded platforms used by ICS and SCADA equipment.
Moore says Sonars initial focus is on making data, tools, and methods available to more researchers and vendors. Rapid7 is also exploring ways to classify devices and industry sectors that are vulnerable on the Net.
Project SHINE, meanwhile, has
spotted
products of some big-name vendors, including Allen-Bradley, Caterpillar, Emerson, Honeywell, Mitsubishi, Phillips, Rockwell, Schneider, and Siemens. Most systems were discovered via Web, telnet, and FTP interfaces, with a growing number SNMP interfaces exposed as well.
One word: astonishing, Radvanovsky says of what his research says about the state of SCADA/ICS security. The asset owners of legacy infrastructure organizations do the bare minimum necessary [security-wise] to keep their environment operating, he says.
Project SHINE more than anything else is about awareness. We want to make sure industry and government alike know ... We are constantly finding new devices. What does that tell you? he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Project SHINE Illuminates Sad State Of SCADA/ICS Security On The Net