A Dystopian ICS Reality
Imagine, if you will, a world where an immense number of Industrial Control Systems (ICS) are connected to the internet. Imagine that these systems are accessible to anyone, anywhere, anytime. A world where the schematics of the Programmable Logic Controllers (PLCs) that are crucial to the functioning of a nation’s most critical infrastructure can be downloaded and studied by any interested party. A place where the tools needed to connect to a PLC and cause havoc are not found in some immoral recess of the Dark Web; they are freely available on the World Wide Web. This is the current reality of our interconnected world.
PLCs, the ruggedised industrial computers used to control assembly lines, valves, doors, robotic devices, or any other automated function, can be found with remarkable ease on the internet. Many readers may be familiar with Shodan, a search engine that locates internet connected devices. Shodan retrieves service banners which can reveal a great deal of information about a device and the services running on its open ports. Although Shodan may be famous for its ability to locate internet connected Industrial Control Systems, it is not the only method, and perhaps not even the preferred method for the nefarious actor. A simple Google search can also be used to locate internet connected ICS maintenance and control portals.
What Has Google Got On You? Google crawls the internet to find and index all of the information found on nearly every web site and page. Google also has a proprietary language that can be used to extract that information beyond searching via keywords. Malicious actors can use this proprietary language to uncover a great deal of information about connected ICS. With a little foreknowledge of the devices used by a target and their manufacturers, a malicious actor can develop ‘Google Dorks’ to search for specific vendor device portals.
For example, let us assume an attacker is interested in the Siemens S7 series of PLC controllers. By using an ‘inurl’ Google dork to search for any page that includes ‘Portal.mwsl’ within the address (which Siemens S7 PLCs use as an online portal), the attacker can browse through a range of connected and vulnerable devices without having to provide an email address or pay a subscription to Shodan.
Using an appropriate Google dork search, an attacker can locate admin portals for Siemens S7 PLC controllers and determine their physical location from the provided IP address. To be clear, no login to the PLC needs to occur; yet the amount of information that can be gleaned about the device is alarming. The specific device type, the serial number, and firmware version are all freely available. The attacker can also discover the device’s MAC address, IP address, netmask, default router, and physical properties. All this information can be found on Google without any need to log into the device.
Obscurity Is No Security Although such portal pages cannot be found by the average user with regular Google keyword searches, the reality is that far too many ICS still rely on a principle of ‘Security by Obscurity’. Security by obscurity is a term that refers to the reliance on security design or implementation secrecy as the main method of providing security to a system or component. This method of security has never been a good idea, and in an age where information is freely available to the inquisitive and malicious alike, it behoves us to recall the words of 19th century locksmith Alfred Charles Hobbs, who reminds us that “rogues are very keen in their profession”. When one understands just how easy it is to gather information about these incredibly sensitive devices that essentially run the modern world, it is unsurprising to learn that 90% of Australian organisations who employ Operational Technologies (OT) and Industrial Internet of Things (IIoT) technologies have experienced some form of security incident impacting their industrial environments in the last 12 months. As Sapien Cyber recently reported, there has been a dramatic increase of more than three times the number of attacks targeting Australian organisations over the past year, double the global trend for the same period. Of the organisations that reported experiencing an ICS security incident, 87% said that their industrial networks were impacted for between one and five days. Of these, 46% experienced an impact to a large number of devices over several locations, while 8% reported that their experience resulted in a complete shutdown. More Need to Do More Unsurprisingly, 96% of respondents expressed a need to invest more in their OT security. While 72% reported that they are in the process of completing security uplift projects, less than a third reported having completed such projects. Larger organisations with more than 5,000 employees (and presumably greater resources) were more likely to have already completed such projects, whereas the majority of smaller companies reported that they were continuing to work toward their security uplift goals. Mos tellingly, it was the organisations which consulted with external security specialists for assistance in deploying security strategies were less likely to have experienced an impactful security incident in the last 12 months. Security by obscurity is still too often par for the course when it comes to ICS. Organisations need to realise just how vulnerable they are. Attackers don’t simply walk through the unlocked front door (or even backdoor). They watch. They study. They learn all they can about your network, your devices, how they work, how they are connected, and ultimately, how they can be exploited. When thinking about how much information your organisation might be giving away to attackers, remember that “rogues are very keen in their profession”.