Monday, 1 March 2021

Industrial Control System Hide-and-Seek


 

 I spend a lot of time researching and reading about security.

I love the subject matter and every once and awhile I stumble across something that makes my eyes bug out.

I say to myself...

"Did I read that correctly? Did that actually happen?"

There is so much happening all the time in cyber security that it is hard to stay on top.  It's a constant game of catch-up.

So I got an idea.  A personal challenge.

I have been reading recently about infrastructure and IoT.  I think IoT is the future and in the same breathe it's critical that we secure these assets.

From my research I have learned that the hard facts that CNI (critical national infrastructure) and ICS (industrial control systems) are woefully lacking in basic security.

The Challenge:

Within five minutes how many types of industrial control systems can I locate online and either connect to directly or validate that it is reachable online.

So with some quick googling and shodan.io at my side I set my timer and got to the task.

Keep in mind this is all within 5 minutes.

And this is what I found:

- Electronic Billboards

- Gas Station Pump Controllers

- Automatic License Plate readers

- Traffic light controllers 

- Red Light Cameras

- Voting Machines (US)

- Telcos running Cisco lawful intercept wiretaps

- Prison Pay Phones

- Tesla Charging stations

- Maritime Satellites

- Refrigeration Units 

- Wind Turbine Farms

- Commercial Vehicle GPS Trackers

- X-ray Machines

- Industrial Automation

- Door/Lock Access Controllers

- Railroad management

Now I have no plan on exploiting these assets, but keep this in mind that in only 5 minutes with some googling and shodan I was able to find and validate multiple machines within these ICS types.  

Now what if I actually had malicious intent? What if I had picked a target and spent significantly more time on the target?  What information could a person grab about the target organization?  How could someone move laterally from this target to some other unsuspecting asset?

Having connected devices is great, proper security considerations need to be forefront.


Andrew Campbell









No comments:

Post a comment