Tool can Pinpoint Vulnerable ICSes

Wednesday, January 25, 2012 @ 02:01 PM gHale


Eireann Leverett, a computer science doctoral student at Cambridge University, developed a tool that matches information about industrial control systems connected to the Internet with information about known vulnerabilities.

What he can do with that tool, as he discussed last week at the S4 conference in Miami Beach, is prove how easy it is for an attacker to locate and target an industrial control system (ICS). Leverett used the SHODAN search engine, which allows users to find Internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could hijack the systems.

RELATED STORIES
Symposium Releases Vulnerabilities
Wago, Wellintech Vulnerabilities
GE Hit by Vulnerability
Schneider: More Patches for Module Hole

Leverett found over 10,000 devices connected through a search of two years worth of data in the SHODAN database. He was not able to determine how many of the devices uncovered were actually working systems nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities.

He did say, though, a few of the systems he investigated actually belonged to water facilities in Ireland and sewage facilities in California.

He also said 17 percent of the systems he found online asked him for authorization to connect, suggesting that administrators either weren’t aware their systems were online or failed to install secure gateways to keep out intruders.

To avoid obtaining unauthorized access to the systems, Leverett didn’t try to connect to the systems himself but passed the information to the Department of Homeland Security last September, which took on the task of notifying the owners of systems or their ISPs.

Leverett’s tool showed how easy it is for a dedicated attacker or just a recreational hacker to find vulnerable targets online to sabotage.

He told conference attendees he worked on the tool full time for three months and part time for an another three months, saying if “a student can put this together, surely a nation state can do it.”



Leave a Reply

You must be logged in to post a comment.