This is mind boggling. Who installs these systems? Who maintains them? Surely this is supposed to be done by someone with at least a certain amount of clue? Enough clue not to hook up your insecure gear to the internet? No?
I don't even get how this happens. Surely these things are not just plugged in to a modem? There has got to be some kind of LAN involved. If there is, then there should at least be an edge firewall. Or even a simple garden variety gateway with NAT, which would already prevent all of those open ports from being accessible. So what gives? Are people deliberately hooking this gear up to the internet, deliberately exposing ports without taking security into consideration? That is patently insane.
How much do engineers specializing in these systems get paid? I interviewed at a couple of places that do industrial-style systems and in one case, I got an offer that clocked in far below the requested rate (not a negotiation tactic, they declined to revise it), and at another, the recruiter couldn't hang up fast enough when she heard salary requirements.
It's something like the Idiocracy Effect. In Idiocracy, the present-day world's best minds devote all their energy to eliminating hair loss and prolonging erections, eventually leading to a collapsed society. The real world is not too far off. Our best minds are dedicated to improving ad targeting and keeping users in vanity-gratifying loops on social media, while our industrial control systems that literally run the modern world wallow in the 70s.
Everyone has some culpability in that. How many of us yearn to work for the local power utility (or one of their upstream vendors) rather than Facebook, Google, or the latest VC pump-and-dump scheme -- err, I mean, hot SV unicorn? Even if they did compensate competitively, are there enough hackers with a sense of [realism/duty/patriotism/INSERT_OTHER_SOCIAL_VALUE_HERE] to heed the call?
There's definitely a role for some type of regulation or standards here. Industrial controls should be considered vital infrastructure that require serious and immediate investment. A brief visit to Shodan will show thousands of exposed industrial resources, and that should scare your pants off.
I used to work in the industrial controls industry. The systems are often designed by application engineers working for the industrial control equipment’s manufacturer or distributor. In the case of distributors, the engineering work is often provided for “free” and paid for with the markup the distributor applies over their cost to purchase the components direct from the manufacturer. Those same application engineers will be involved with helping to make the sale. If a customer asks “can I connect this to the Internet?”, any response other than “of course!” is liable to result in a talking to from the sales manager for that account.
> Surely this is supposed to be done by someone with at least a certain amount of clue? Enough clue not to hook up your insecure gear to the internet? No?
The way I understand it (and what my brief experience in writing software for industrial use confirms), it's the usual: the people making purchase decision have little to no clue, which - in absence of regulations - allows companies selling these products and services to not care, employ people without clue, and/or purposefully trade off quality for sales points (think of how many pseudo-features you can add to a PLC once you hook it up to the cloud).
I don't know about ICS, but CCTV cameras, HVAC controls, parking gates are too often installed by technicians with little to no IT knowledge. They ask the local IT to open port (ie. port forwarding) for remote management or servicing without knowing the implications. When offered a VPN they often refuse - they do not want or know how to use it.
My (not vast) experience with this stuff is that it’ll often get plugged directly into an LTE-Ethernet modem. Or, depending on the vintage of the equipment, the chain looks more like LTE-Ethernet modem connected to a “serial port concentrator” with Ethernet on one side and a bunch of serial ports on the other side. Sometimes the installers will turn on IP Whitelisting on the inbound ports, but sometimes that gets skipped.
I can't say much about Switzerland, but on a slightly related note, in Poland we have automatic doors in trains that don't bother detecting if someone's in the doorway before closing. I'm honestly surprised that these didn't kill a single child yet.
SCADA and industrial stuff are absolutely terrible. Plenty of places where relays will happily change state when you send alternating packets of all 0's and 1's via UDP. Anything from heating / cooling, building lights, alarm systems and industrial processes are wide open. This is definitely not limited to certain countries.
Organizations using ICS equipment could use this tool to find their own systems that are accessible to the internet. However, I would imagine that companies that are responsible enough to perform checks like these hopefully already have procedures in place to prevent issues like this.
I wonder if there's room to use this software to provide direct feedback to the organizations and let them know without being prosecuted?
Shodan Monitor is to the Internet as Google Alerts is for the web. And the membership (one-time payment of $49 for a lifetime upgrade) lets you monitor up to 16 IPs.
This illustrates something I'm worried about. Cyber as a battle space, and the extreme vulnerability of some countries negates some of the traditional strategic advantages that superpowers have had. That will rebalance in time. But I worry that for an up and coming power with a kick-ass cyberwarfare operation, there is no better time to start a war than right now.
One saving grace is that if a cyber attack was bad enough, it would likely result in retaliation in the physical space, provided attribution could be proven. Superpowers generally have armed forces far superior to asymmetric attackers and would be able to inflict punitive damages far beyond the cost of the initial cyber attack. There is some deterrence against some of the worst attacks eg: knocking out a power grid.
If you look at the pattern of really nasty cyber attacks against infrastructure and industry, they usually are the other way around. Stuxnet was the US attacking Iran, Ukraine was attacked by Russia.
This whole submission looks like an ad for Shodan. For those who don't know. Shodan is a basically a search engine on top of a DB created by mass port scanning. If it sounds shoddy as fuck to you, you would be right. They basically managed to find few ISPs that disregard hundreds or possibly thousands of abuse notifications they must be receiving and they are monetising their find. No doubt someone will reply "but port scanning is not illegal", well walking from car to car and trying door-handles to see if any are open in a supermarket car park is also not illegal, but don't be surprised if you get a security guy's baton treatment if you're spotted doing that. My point is, it is not illegal, but it is also not acceptable. Don't believe me? Try to do a mass port scan on any normal ISP's connection. You'll be getting a phone call or a letter in the post to stop it soon or they will disconnect you. Same with AWS, Azure, Rackspace and any other reputable cloud provider. "Oh, but we provide a much needed service to companies that need to be notified if any unsecured devices pop up on their network" - they'll say. My answer to this is that there are hundreds if not thousands of WhiteHat scanning companies that will happily provide you with a scanning service if you prove you own the range. It is only Shodan that will preemptively scan everyone and then let people search their DB. This is basically equivalent to a script kiddie running nmap on 0.0.0.0/0. Seriously, this is not OK.
Some ISPs that should be named and shamed for allowing this to be going on:
SingleHop - a US based cloud provider
CariNet Inc from San Diego - another small cloud provider
M247 Europe - a Colo provider in Romania
The above have been found to be hosing one or more of the servers that do the actual Shodan scanning. Servers are named censusX.shodan.io where X is a single digit.
I suggest that everyone annoyed with Shodan's activity emails those service providers and tells them what they think about it.
People freaking out about port scans are pretty much part of the problem, not the solution. They are who block ICMP making P-MTU discovery broken, etc.
Making people jump through hoops to get a port scan also seems to be part of the problem.
The network operator community is slowly progressing on building out the necessary infrastructure (both institutional and technical) to deal with DDoSes in a kind of automated way. (Initially BGP null route / blackhole propagation, now some extra computation - so just drop certain percentage of packets, that match this trivial bitmask, etc.)
All this is because people forget how easy it was to get your unpatched Win XP machine owned by Blaster/MyDoom. And it's not much harder today with IoT devices, countless unpatched WordPress, phpMyAdmin, Django, RoR sites.
Of course, I'm not particularly happy about this state of things, but I have no issue with scanning, I have a lot more problem with real malware left unchecked, opportunists mistaken for real abusers.
Shodan is far from the only 'player' in that space. And the scan's aren't necessarily as noisy as you think.
There's enough 'internet background radiation', script-kiddies and virus's scanning the internet, that a heavier-weight scanner that has a few agents to do the scanning, and is somewhat clever about how they allocate IPs and ports to the agents can disappear into the background noise.
And if you really want to spread out the load, it'd probably be depressingly easy to recreate the 'internet cencus 2012'/ Carna botnet https://en.wikipedia.org/wiki/Carna_botnet
NB that having something like Shodan is invaluable to defenders in identifying potential hosts for botnets.
Hiding our heads in the sand only means that the vulnerabilities will not be fixed and that only especially crafty attackers (i.e. the most dangerous ones) can exploit them. We need more openness, not security based on someone's feelings of morality.
Industrial control systems are experiencing the growing pains of letting go of older technology that was designed prior to security being much of a concern.
ICS networks are often designed to be 'air gapped'. All too often the air gap is broken via a vpn into the network so that someone can RDP to a windows scada machine (that doesn't receive updates because it can't reach the internet itself).
Agreed. These protocols are difficult to secure. However, it shouldn't be difficult to isolate devices from the internet. Isolation doesn't protect against inside attackers or an external use from causing trouble after getting into the network. It should be obvious these devices shouldn't have access to the internet.
The number of ICS directly connected to the Internet has grown 10% every year since we started tracking them at Shodan (https://exposure.shodan.io) so even worse this is an increasing problem. This is a known issue in the security industry and has been for a while but fixing it is a hard problem.
The other thing we've noticed is that people are putting the ICS devices on non-standard ports in an attempt to hide them from Internet crawlers. This means that there are people that know this is a bad idea and instead of putting it behind a VPN or something more secure they just decide to change ports and leave it at that.
No. In North America, we have cybersecurity compliance auditing for large power plants and other bulk electrical system facilities done under the auspices of NERC.
You can notify into a bunch agencies in Spain, but AFAIK they have no way to enforce it. Just what I heard from a fried that works at netsec, not that I have any direct knowledge.
[+] [-] Tharkun|6 years ago|reply
I don't even get how this happens. Surely these things are not just plugged in to a modem? There has got to be some kind of LAN involved. If there is, then there should at least be an edge firewall. Or even a simple garden variety gateway with NAT, which would already prevent all of those open ports from being accessible. So what gives? Are people deliberately hooking this gear up to the internet, deliberately exposing ports without taking security into consideration? That is patently insane.
[+] [-] cookiecaper|6 years ago|reply
It's something like the Idiocracy Effect. In Idiocracy, the present-day world's best minds devote all their energy to eliminating hair loss and prolonging erections, eventually leading to a collapsed society. The real world is not too far off. Our best minds are dedicated to improving ad targeting and keeping users in vanity-gratifying loops on social media, while our industrial control systems that literally run the modern world wallow in the 70s.
Everyone has some culpability in that. How many of us yearn to work for the local power utility (or one of their upstream vendors) rather than Facebook, Google, or the latest VC pump-and-dump scheme -- err, I mean, hot SV unicorn? Even if they did compensate competitively, are there enough hackers with a sense of [realism/duty/patriotism/INSERT_OTHER_SOCIAL_VALUE_HERE] to heed the call?
There's definitely a role for some type of regulation or standards here. Industrial controls should be considered vital infrastructure that require serious and immediate investment. A brief visit to Shodan will show thousands of exposed industrial resources, and that should scare your pants off.
[+] [-] noir_lord|6 years ago|reply
It’s the path of least resistance in action.
If you make it significantly more work to do something than not then people simply won’t do it.
As the visible difference between secure and insecure is invisible to management it slides.
As an industry we’ve failed all horribly at making secure the easy default option.
And that’s going to haunt all of us.
[+] [-] jacquesgt|6 years ago|reply
Few of the incentives in that industry lead to good security. More details here: https://news.ycombinator.com/item?id=3260127
[+] [-] TeMPOraL|6 years ago|reply
The way I understand it (and what my brief experience in writing software for industrial use confirms), it's the usual: the people making purchase decision have little to no clue, which - in absence of regulations - allows companies selling these products and services to not care, employ people without clue, and/or purposefully trade off quality for sales points (think of how many pseudo-features you can add to a PLC once you hook it up to the cloud).
[+] [-] janci|6 years ago|reply
[+] [-] tonyarkles|6 years ago|reply
[+] [-] antisemiotic|6 years ago|reply
[+] [-] snowwindwaves|6 years ago|reply
When asked customer does not want to pay any more for secure remote access.
[+] [-] jacquesm|6 years ago|reply
[+] [-] nikomen|6 years ago|reply
I wonder if there's room to use this software to provide direct feedback to the organizations and let them know without being prosecuted?
[+] [-] achillean|6 years ago|reply
https://monitor.shodan.io
Shodan Monitor is to the Internet as Google Alerts is for the web. And the membership (one-time payment of $49 for a lifetime upgrade) lets you monitor up to 16 IPs.
Disclaimer: I'm the founder of Shodan.
[+] [-] foxrob92|6 years ago|reply
[+] [-] ryacko|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] mmaunder|6 years ago|reply
[+] [-] jorblumesea|6 years ago|reply
If you look at the pattern of really nasty cyber attacks against infrastructure and industry, they usually are the other way around. Stuxnet was the US attacking Iran, Ukraine was attacked by Russia.
[+] [-] Roark66|6 years ago|reply
Some ISPs that should be named and shamed for allowing this to be going on: SingleHop - a US based cloud provider CariNet Inc from San Diego - another small cloud provider M247 Europe - a Colo provider in Romania
The above have been found to be hosing one or more of the servers that do the actual Shodan scanning. Servers are named censusX.shodan.io where X is a single digit.
I suggest that everyone annoyed with Shodan's activity emails those service providers and tells them what they think about it.
[+] [-] pas|6 years ago|reply
Making people jump through hoops to get a port scan also seems to be part of the problem.
The network operator community is slowly progressing on building out the necessary infrastructure (both institutional and technical) to deal with DDoSes in a kind of automated way. (Initially BGP null route / blackhole propagation, now some extra computation - so just drop certain percentage of packets, that match this trivial bitmask, etc.)
All this is because people forget how easy it was to get your unpatched Win XP machine owned by Blaster/MyDoom. And it's not much harder today with IoT devices, countless unpatched WordPress, phpMyAdmin, Django, RoR sites.
Of course, I'm not particularly happy about this state of things, but I have no issue with scanning, I have a lot more problem with real malware left unchecked, opportunists mistaken for real abusers.
[+] [-] NickNameNick|6 years ago|reply
There's enough 'internet background radiation', script-kiddies and virus's scanning the internet, that a heavier-weight scanner that has a few agents to do the scanning, and is somewhat clever about how they allocate IPs and ports to the agents can disappear into the background noise.
And if you really want to spread out the load, it'd probably be depressingly easy to recreate the 'internet cencus 2012'/ Carna botnet https://en.wikipedia.org/wiki/Carna_botnet
NB that having something like Shodan is invaluable to defenders in identifying potential hosts for botnets.
[+] [-] iofiiiiiiiii|6 years ago|reply
[+] [-] kernelPan1c|6 years ago|reply
ICS networks are often designed to be 'air gapped'. All too often the air gap is broken via a vpn into the network so that someone can RDP to a windows scada machine (that doesn't receive updates because it can't reach the internet itself).
[+] [-] statictype|6 years ago|reply
[+] [-] nikomen|6 years ago|reply
[+] [-] runciblespoon|6 years ago|reply
How about not connecting your ICSs directly to the Internet?
[+] [-] achillean|6 years ago|reply
The other thing we've noticed is that people are putting the ICS devices on non-standard ports in an attempt to hide them from Internet crawlers. This means that there are people that know this is a bad idea and instead of putting it behind a VPN or something more secure they just decide to change ports and leave it at that.
[+] [-] Creationer|6 years ago|reply
[+] [-] eigenvector|6 years ago|reply
https://www.nerc.com/Pages/default.aspx
[+] [-] achillean|6 years ago|reply
https://blog.shodan.io/taking-things-offline-is-hard/
[+] [-] iagovar|6 years ago|reply
[+] [-] TheRealPomax|6 years ago|reply
[+] [-] paulsutter|6 years ago|reply