The US follow-up action came after a survey was carried out a security consultancy firm InfraCritical run by two individuals, Bob Radvanovsky and Jacob Brodsky. With the help of US Homeland Security department, InfraCritical, from a list of 500,000 devices, checked against 7,200 of these controlling critical infrastructure projects, saying they had no business being on the Internet. The survey said many had a simply online login interface where only a default password was necessary, making it easy target for hackers.
The survey was carried out by running a series of automated scripts run using a publicly available search engine, the Shodhan Search Engine. The latter was created for the purpose of finding servers, routers, network devices, among others, that are online. Users can filter searches to find specific equipment by manufacturer, function or by geography.
The 7,200 devices belonging to public projects in the US were part of the over 500,000 potential targets so identified. These, in computer parlance, are also called Scada (Supervisory Control and Data Acquisition) projects. That’s an industry term for the computers that run the machinery in power plants, water treatment centres, traffic controls and other utilities.
"The thing is we are trying to assign a number - a rough magnitude - to a problem plaguing the industry for some time now," said Radvanovsky in a blogpost.
According to online reports, Radvanovsky and Brodsky had emphasised that were not scanning for these devices; neither did they attempt to test the logins nor how accessible devices were. Most of them appeared to be for remote administration purposes.
This is not the first time that Scada projects have been under the scanner. In the past, other experts too have pointed out their vulnerability to attacks.
Brodsky said project related officers who do not want to physically go to the site to fix things put the devices on the Internet to resolve problems by going online. They have not thought of the potential consequences of their actions.
[Image Credits : ITP]