If you haven’t looked at Shodan maps maybe you should. It shows a stark visualization of just how exposed we are. The above image shows all of the Lantronix devices that exposed. In the US alone there are 7,024 as of this morning (9/3/2015).
Generically speaking gateways convert one protocol to another. Typically in the BAS world gateways convert serial communication such as RS232 and RS485 to IP. More specifically BACnet serial to IP and Modbus serial to IP (Lantronix gateways are just one of several gateway manufacturers).
Gateways have been handy when, for example, one building has 10 PDUs with Modbus (serial), 2 CRACs with Modbus (serial) and 2 with BACnet (serial), another building has 4 PDUs with Modbus (serial) and 2 CRACs with BACnet (serial). The supervisory network controller is located in another part of the campus. Rather than spend the money on a supervisory controller at each building which could cost thousands of dollars, a gateway device can be had for hundreds of dollars.
Best practice for the scenario mentioned above would be to address the gateways to be a part of the private, behind the firewall, network. If this is not an option, a VPN tunnel between the supervisory controller and the two gateways should be created. Both scenarios would keep these gateways from showing up on Shodan.
Even though gateways are not supervisory controllers, they can be used to manipulate the Modbus points and the BACnet points. There are free tools available that will let you scan and control the various points in either protocol. For example, the CRAC alarms could be disabled and the discharge set point could be raised high enough that could possibly shut down servers due to high heat. Or the CRAC unit could be shut off causing the same results.
Other devices that could be connected to gateways are generators, uninterruptible power supplies, automatic transfer switches, etc. All of these, if exposed, could be used to take a data center down.
A quick review of some of these and other protocols show that the numbers are still high for exposed control devices.
Worldwide listing of commonly used protocols are (as of 9/3/2015):
- SNMP – 207,906
- BACnet – 7,563
- Modbus – 2,337