ControlTrends thanks Marc Petock, VP, Marketing Lynxspring, Inc for this Cyber Security eye-opener article about Project SHINE that revealed that 2.2 million SCADA and BACnet devices were identified as being directly or indirectly exposed to hacking.
In review of Rasshid’s article, Marc writes, “Project SHINE Reveals Magnitude of Internet-connected Critical Control Systems. We have witnessed that SCADA, building management and energy management systems can have security weaknesses, such as inadequate password protection, software that can be breached and various unmonitored/unprotected access points within the network.”
Excerpts from Fahmida Y. Rasshid’s October 6th, 2014, Project SHINE article in securityweek.com:
Project SHINE was undertaken to determine the magnitude of SCADA/control systems’ devices that are exposed directly to the Internet. The results were astounding. Roughly 2.2 MILLION devices were identified as being exposed either directly or indirectly related to SCADA or control systems.
Researchers identified 182 manufacturers who were considered traditional SCADA and control system manufacturers, and built relevant search queries based on those names to find devices. That was a surprise, considering the team expected only a dozen or so manufacturers. In the end, the team sampled about 2.2 million devices during the course of the project.
The project didn’t end in January because the team found everything. “We didn’t see an end to this effort, so we decided to put a stake in the sand and say, ‘At this point we have enough data to report about this.’ This is a snapshot,” Radvanosky told SecurityWeek.
Of the sampled devices, roughly a quarter of them, or 586,997 industrial systems—such as RTUs and PLCs—were manufactured by vendors such as Allied-Telesys, Niagara, DIGI International, Intoto, Siemens, Lantronix, Moxa, EnergyICT, and VXWorks. EnergyICT, Siemens, and Moxa were the most widely used.
Another 13,475 devices were HVAC and building automation systems from Bacnet International, Bosch Automation, Honeywell, Lennox, and LG Electronics. Heatmiser and Honeywell accounted for the most of the devices in the sample. Considering HVAC and automation systems as part of SHINE’s data set was important considering many attackers are using these systems as an indirect avenue of attack, Radvanosky said. These systems let attackers come into the network and scan to find out what other systems are accessible. Consider what happened with Target, and with a number of healthcare organizations recently, he said.
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.