This project was subset to Project SHINE (SHodan Intelligence Extraction), providing one example of what would happen if a device was to be directly connected to the Internet. The results were surprisingly stunning, although not unexpected.


Objective

The objective of the project was to prove and substantiate through a demonstration that directly connecting an industrial control system (ICS) device onto the Internet could have consequences. As such, the premise of this project was to:

  • Obtain current ICS equipment through public sources (for this project, eBay was used), and deploy this equipment as actual cyber assets controlling perceived critical infrastructure environments;
  • Ascertain any pertinent threat or attack vectors (such as tampering, data manipulation, etc.), as well as scope and magnitude of any attacks against the perceived critical infrastructure environments;
  • Record network access attempts, and analyze captured packets for any patterns, based on time of day, day of week, and methods used; and,
  • Report redacted findings for public awareness to governments and media outlets.

ICS play a vital role in critical infrastructure. Today, business demand has led to the rapid deployment of modern networking technologies, which has accelerated interconnectivity of these once remote and isolated devices. This new form of connectivity has empowered asset owners to maximize their business operations, while reducing their costs associated with equipment monitoring, upgrades (or updates), and servicing (such routine maintenance of calibrations), thus creating a new security paradigm for protecting control systems from being attacked, compromised, and finally infiltrated.

Device Specification / Configuration

The manufacturer of the device used was Siemens RuggedCom, programmed intentionally with an outdated and highly vulnerable version of the device’s firmware.

The device was portrayed and configured as an access-point controlling a water pump to a wellhead for a local municipality’s water system.

The contact name was fictitious; any resemblance to any individuals with a similar name is entirely coincidental. A screen shot of the redacted web interface is shown below:


Experiment Execution

The device was placed online 14-Oct-2014 (Tuesday), and taken out of service 27-Dec-2014 (Saturday). Once placed directly on the Internet, the device was monitored closely for any activity. In less than 2 hours, the device was actively probed.

Additionally, the device was intentioned loaded with a vulnerable version of the Rugged Operating System (ROS) that was susceptible to an authentication bypass, allowing the would-be attacker unadulterated administrative privileged access. This was a design-based threat intentionally coded by (fomerly) RuggedCom. The feature in question would grant someone with adminitratve privileged access via a client-based utility provided free of charge to reset the device passwords.

Conclusion

Based on the data examined, it appeared that the majority of the access attempts originated from IP addresses belonging to the country of China. The originating IP addresses may have been proxied in an effort to mask the originating IP address sources.

First Observed Attack from Logs < 2 hours
First Observed on SHODAN ~ 2 days
Total number of access attempts 140,430
Total number of unique IP addresses 651

As this experiment was conducted for only 75 days (roughly 2.5 months), this demonstrated the intensity by which these probes were performed.