Researchers warn of SCADA equipment discoverable via Google

Google searches find critical infrastructure equipment that could be remotely controlled over the Internet.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
4 min read
Jonathan Pollet (left), founder and principal consultant at Red Tiger Security, and Daniel Michaud-Soucy, Red Tiger Security systems engineer. Seth Rosenblatt/CNET

LAS VEGAS--Not only are SCADA systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators sometimes practically advertise their wares on Google search, according to a demo today during a Black Hat conference workshop.

Acknowledging that he wouldn't click on any link results to avoid breaking the law by accessing a network without authorization, researcher Tom Parker typed in some search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status" for a Remote Terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password--"1234."

That's like putting up a billboard saying SCADA (Supervisory Control and Data Acquisition) system here and, oh by the way, here are the keys to the front door.

"You can do a Google search with your Web browser and start operating [circuit] breakers, potentially," Parker, chief technology officer at security consultancy FusionX, told CNET in a break during the workshop on "Building, Attacking And Defending SCADA Systems in the Age of Stuxnet."

Tom Parker, chief technology officer at FusionX, explaining in detail how SCADA systems are controlled. Seth Rosenblatt/CNET

Most SCADA protocols do not use encryption or authentication, and they don't have access control built into them or the device itself, said Jonathan Pollet, fellow presenter and founder of Red Tiger Security. This means that when a PLC has a Web server and is connected to the Internet, anyone who can discover the Internet Protocol address can send commands to the device and the commands will be performed, he said.

"You can make it do anything you want it to do," Pollet said. "If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off. If it was a substation and the power recloser switches were closed, we could break it open and create an (electricity) outage for an entire area or city...The bottom line is you could cause physical damage to whatever is connected to that PLC."

To know exactly what to search for on the Internet, the researchers bought a PLC with an embedded Web server that had an identifying string of characters associated with the hardware and then typed that information into Google, according to Pollet.

Pollet discovered on the Internet an ABB Transformer running an electricity substation in the United Kingdom earlier this year with no password required and notified the utility company. "You could see [circuit] breaker statuses, see the last time it was worked on, the status of the transformer," he said, doing a quick Google search for the device. "It's still on the Internet but now they prompt for a password," he said, finding the link.

"This shouldn't even be on the Internet. It's an active substation," he said. "This equipment should not be on the Internet."

While SCADA security has been an issue for decades, as legacy systems have been connected to the Internet and remote technologies have emerged, Pollet and Parker agreed that interest has peaked since last year with the emergence of Stuxnet, a worm that spreads via holes in Windows but specifically targets Siemens SCADA systems and uses other sophisticated methods. Experts theorize that Stuxnet was designed to sabotage Iran's nuclear development program.

It's likely that a nation-state was behind the development of Stuxnet, and that it took several years to develop and a full-time team of operators to develop and control, according to Parker. Despite the fears sparked by Stuxnet--the first malware known to target SCADA systems--it could have done a lot more damage if it were executed better, he said.

"There was a lot in the press about the sky is falling," he said. "The idea of this [workshop discussion] was to demonstrate the amount of effort that would have to go into that operation. There are so many moving parts...discrete separate systems [and other elements] to that type of attack, that it would be extremely challenging to pull off."

But Stuxnet has raised awareness in the general public and within companies running critical infrastructure systems and scared some of them enough to beef up their security. "Stuxnet created an interest in the community to learn more about vulnerabilities and SCADA systems," said Pollet. "We' ve seen direct impact in our customers being able to get funding to secure their SCADA systems."

While Stuxnet appears to have run its course and had minimal impact, SCADA systems are at risk from vulnerabilities and exploits in general, the U.S. ICS-CERT (Industrial Control System Computer Emergency Response Team) has warned.

Black Hat sessions begin tomorrow and run through Thursday. The event is followed by DefCon, which runs Friday through the weekend.

Related links
DefCon Kids joins adult hacker conferences
Automated stock trading poses fraud risk, researcher says
Expert hacks car system, says problems reach to SCADA systems