Abstract:
We found that half a million ICS and SCADA devices are exposed in public databases, at risk of attack. About 20'000 are present in Switzerland and Italy alone. Switzerland is more exposed that Italy in proportion, with 2'742 exposed devices on a total of 884'607, compared to 17'074 of Italy on a total of 6'299'498.
All data gathered during our research is published for further study.
1 Introduction
Welcome to the first release of ScadaExposure, an observatory on international reachability of ICS and SCADA devices.
The 2013-11 release is focused on answering the following questions:
- Are ICS and SCADA devices correctly deployed and disconnected from public networks?
- How many devices are exposed in Switzerland?
- How many devices are exposed in Italy?
- How is the Switzerland compared to Italy and vice-versa?
- What is the possible impact?
2 Research method
We used a set of 95 dorks (search queries) against generic search engines (like Google and Bing) and specialized ones (like Shodan, who focus on indexing machines connected to the Internet). This represents the largest collection of search queries specialized in finding SCADA devices up to date. We did not only collected them, we improved the queries to get more and more solid results. For example some dorks were focusing on authentication banners, but in this way one will always and only get authentication protected devices, ignoring unauthenticated ones.
For each dork we performed several interrogations, dividing the results in three sets: Worldwide, to get the global presence of a particular device; CH, to limit the results to Switzerland; IT to limit the results to Italy. Switzerland and Italy were chosen as they are two neighbor nations and thus perfect for a comparative analysis.
Having distinct sets for different nations allows statistical and proportional comparison. We will add more countries in the future.
Dorks were then categorized in a taxonomy of Producers (we call them Vendors), Products and Versions. A dork can be linked to a Vendor, Product or Version or can be completely generic (like "PLC"). This allow us to obtain subtotals for every entity and know the actual usage and exposure rate.
3 Analysis
It's known that ICS and SCADA systems are a link between the digital and physical world so the consequences of malfunctioning can be definitely serious. It's also a fact that in complex systems even the failure of non-critical components can cause unplanned collateral damages.
The research is focused on demonstrating that such systems are not "air gapped" (deployed on a different, separated network) as many suggests, instead such devices are often exposed to random attackers from the Internet. This means that devices, thought to be completely isolated from external attackers, must be re-engineered with modern threat models.
Using our set of dorks we discovered a total of 509’199 SCADA devices, categorized in 29 Vendors and 62 Products. Switzerland accounted for 2’742 ICS devices on a total of 884’607 devices connected to Internet and indexed by our data sources. Italy accounted for 17’074 ICS devices on a total of 6’299’498 devices.
While Italy has 7 times the devices than Switzerland, we came to the conclusion that Switzerland has more exposed ICS devices in proportion. This means that the usage of SCADA elements is more pervasive and/or that their security is worse than in Italy. Speaking of absolute proportions Italy has 6.2 times more ICS devices than Switzerland, a number that is lower than 7.
Analysis between ICS/SCADA systems (Summary):
- 3.3% of world’s SCADA devices are in Italy;
- 0.5% of world’s SCADA devices are in Switzerland;
- Italian and Swiss SCADA devices represent the 3.9% of the global exposure.
Our data moreover allows a comparison of ICS devices in a country versus the global total.
Analysis between ICS/SCADA systems and non-SCADA systems (Summary):
- 0.27% of Italian exposed devices are SCADA;
- 0.31% of total Swiss exposed devices are SCADA;
- Switzerland is proportionally more exposed (+14.8%);
- In Italy every 400 devices scanned one is SCADA;
- In Switzerland every 330 devices scanned one is SCADA;
This means that randomly scanning 10 IP per second statistically you can find one exposed SCADAsystem per minute.
4 Conclusion
Now is time for answering the previously raised questions:
Are ICS and SCADA devices correctly deployed and disconnected from public networks?
They are in many occasions not.
How many devices are exposed in Switzerland?
Switzerland has 2’742 ICS devices exposed.
How many devices are exposed in Italy?
Italy has 17’074 ICS devices exposed.
How is the Switzerland compared to Italy and vice-versa?
Switzerland has more exposion (+14.8%) compared to Italy, although Italy has many exposed devices.
What is the possible impact?
In a perfect world none of the found systems should be accessible by untrusted networks. With more than half a million of exposed devices, most of which belong to 10 most common Products, the risk connected to widespread exploitation and 0day attacks is high.
5 Known limitations
We did not connect to the found devices, it was not within the scope of the research and we do not publish specific IP addresses of targets, attackers already actively exploit such information. Publishing it would not add value to our research.
There is no assertion that systems are still reachable from the public Internet or vulnerable at all. They were indexed at some point by our datasources, and thus already exposed to the Internet. This alone represent a violation of most common security best practices, especially when it comes to ICS devices. Only information that seemed accurate and truthful was included in our results.
Search queries used to identify devices are not perfect and may overlap, resulting in larger subtotals and totals than the unique IP count, this may change with future releases if more resources are found to implement the needed screening and filtering.
It's impossible to know what these systems are connected to, and thus it's impossible to know the actual Risk. That's why to effectively assess Risk, Penetration Tests are used. They are real "simulations" of attacks, in the sense that targets are actually attacked but the test is executed in order to avoid deliberate damage. Again, no attack was performed against these devices.
Used datasources do not spider every possible device, they should be used as a statistical indication only. It can be easily understood that devices that appear in such databases have an increased chance to be attacked.
There are actually much more publicly accessible devices than the ones indexed by out datasources. We think that this compensate know limitations. Again, we were only looking for a statistical evidence to get educated conclusions.
6 Who and Why
All the research for this release has been performed by Francesco Ongaro and Gianluca Pericoli from ISGroup SRL, including building a platform that will serve for future studies and hopefully the creation of a more open ICS security community.
We started this research on request from Florian Imbach, a journalist of Sonntagszeitung, and decided to take it further because of the risk connected to insecure SCADA deployments, the little awareness and a great gap to fill compared to IT systems's security.
Our observatory represent a source to where people can refer to, citing actual numbers instead of vague feelings. There is no other public research comparable to ScadaExposure at the moment.
If you are a citizen you should require secure systems. If you are a company you should invest in the security of your production equipment. If you are a producer you should re-evaluate your products from a security prospective. If you are a security company you should sponsor this project to improve the awareness and overall security of ICS systems and infrastructures.
If you just want to contact us just write to scadaexposure@isgroup.it.