All information products included in https://us-cert.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.
The ICS-CERT has recently received several reports from multiple independent security researchers who have employed the SHODAN search enginea to discover Internet facing SCADA systems using potentially insecure mechanisms for authentication and authorization. The identified systems span several critical infrastructure sectors and vary in their deployment footprints. ICS-CERT is working with asset owners/operators, Information Sharing and Analysis Centers (ISACS), vendors, and integrators to notify users of those systems about their specific issues; however, due to an increase in reporting of these types of incidents, ICS-CERT is producing a more general alert regarding these issues.
In most cases, the affected control system interfaces were designed to provide remote access for monitoring system status and/or certain asset management features (i.e., configuration adjustments). The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems. These systems have been found to be readily accessible from the Internet and with tools, such as SHODAN, the resources required to identify them has been greatly reduced.
In addition to the increased risk of account brute forcing from having these systems available on the Internet, some of the identify systems continue to use default user names and passwords and/or common vendor accounts for remote access into these systems. These default/common accounts can in many cases be easily found in online documentation and/or online default password repositories. Control System owners and operators are advised to audit their control systems—whether or not directly connected to the Internet—for the use of default administrator level user names and passwords.
The ICS-CERT has previously published Control Systems Analysis Report “CSAR-10-025-01 Analysis of Shodan – Computer Search Engine,” that discusses the importance of minimizing network exposure by ensuring that control system devices are not visible on the Internet. That CSAR is currently available only through the US‑CERT secure portal (Control Systems Center/Library/ICS-CERT/ICS-CERT Advisories and Reports/…).
ICS-CERT has previously published Control Systems Analysis Report “CSAR-10-114-01 - SSH Scanning” that discusses the brute forcing of control system secure shell (SSH) accounts. Many of the tactics, techniques, and procedures that can be used to brute force SSH account usernames and passwords, also applies to web-based human-machine interface (HMI) systems.
The ICS‑CERT has also published an Advisory “ICSA-10-228-01 - Vendor Admin Accounts Warning,” that discusses the importance of owner/operator awareness and control of administrator level accounts installed on control systems by third-party vendors.
- Placing all control systems assets behind firewalls, separated from the business network
- Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access
- Removing, disabling, or renaming any default system accounts (where possible)
- Implementing account lockout policies to reduce the risk from brute forcing attempts
- Implementing policies requiring the use of strong passwords.b
- Monitoring the creation of administrator level accounts by third-party vendors (ICSA-10-228-01).
- a. SHODAN is a search engine for Internet facing devices. Its database contains devices identified by scanning the Internet for the ports typically associated with HTTP, FTP, SSH, and Telnet. Searches can be filtered by port, hostname, and/or country. Search results include information like HTTP server responses to GET requests; FTP and Telnet service banners and client/server messages exchanged during login attempts, and SSH banners (including server versions). Search engine can be found at: http://www.shodanhq.com.
- b. http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.