TLDR; We found several ICS systems in Belgium that were exposed to the internet without requiring any authentication. Screenshots below.
Update 19/12: We’ve also had some coverage in the media about this research. ‘De Standaard‘ did an article about it and so did ‘Datanews’ (in Dutch and in French).
Industrial Control Systems (ICS) is the general term for electronic control systems used in industrial production. The term encompasses everything from supervisory control and data acquisition (SCADA) to Programmable Logic Controllers (PLC) – often found in industrial and critical infrastructures.
These systems were once state-of-the-art controllers for heavy industry, but nowadays they are included in many HVAC (Heating, Ventilation and Air Conditioning), home automation and even industrial livestock feeding systems. These systems are installed in many corporations – big and small – but also at home.
ICS Security has been a big issue since Stuxnet. Stuxnet was one of the first – and very advanced – malware specifically targeting ICS appliances. Since then, we’ve seen a steady flow of ICS targeted malware, simple and advanced alike. One of the reasons ICS is being heavily targeted, is because of the criticality of the appliances that it controls, but also because most ICS systems have not been designed for security. To make matters worse, many ICS installations are poorly incorporated into existing networks. Today, still many ICS appliances are connected to the internet without any proper authentication. This means that actors with bad intentions could gain access to these critical systems with little to no effort.
Since NVISO is a Belgian company (and thus most of our clients are Belgian or have a Belgian office), we decided to take a quick peek into the security of Belgian ICS systems.
“How many of those systems would we be able to find in Belgium with little effort”, we thought…
In comes Shodan. Shodan is the first search engine for internet-connected devices. It allows you to easily search throughout the internet for specific appliances and protocols. We only used Shodan in throughout this research and have only used simple search syntax.
30 minutes later
Using our knowledge about ICS systems (some vendors, some protocols), we started investigating the Belgian internet-space. The results were worrisome. Within only 30 minutes, we managed to find at least 9 instances of Belgian ICS systems that were connected to the open internet, without requiring authentication. We found heating systems, ventilation systems, building control systems, delivery acceptance systems, home automation systems, camera systems and even an automatic feeding system of a farm.
Next to these ICS systems, we also found a big volume of Belgian Point-of-Sale (PoS) systems. Luckily, almost no Belgian PoS is equipped with a card reader – and thus no credit card details would be retrieved upon compromise – but there’s still a risk here concerning customer’s data. Next to that it could be used as an entry point into the corporate network. Probably not a good idea to have those directly connected to the internet.
All the ICS systems that we found using Shodan, used a VNC server for remote access. TCP/5900 was in open state and authentication was disabled. We have stopped seen these horrible things in corporate environments, but apparently they still exist in the ICS world…
If your ICS system needs to be remotely controlled, we would recommend to use a secure connection towards it (VPN, white listing IP’s, etc.) and enforcing a decent authentication (long and complex password/passphrase, no anonymous login). Since many ICS systems still don’t give you decent authentication out-of-the-box, make sure to put it behind a managed network and enforce decent authentication (and logging!), e.g. by using a jump server.
We will contact all identified companies with our findings and will offer them help with any potential remediation. In Belgium, this sort of ‘notification’ is still in a gray zone, legally speaking. Luckily, the Centre for Cybersecurity Belgium (CCB) is looking into proposing a ‘responsible disclosure’ law.
With this 30-minute research, we wanted to raise awareness about the criticality of ICS and other internet-attached systems and their lack of security. While companies are slowly but steadily investing more and more into information security, they often overlook ICS systems. Next to the end-user responsibility, we want to stress that a part of the responsibility is to be shared with the vendors and installation companies. We often see that they make no effort to secure these systems or offer no guidelines towards secure installation.
Disclaimer: We have removed all Personal Identifying Information from the screenshots below. We have not accessed any system; the screenshots were taken by Shodan. All screenshots listed below have been identified as originating from a system located in Belgium.
The interface of a Tolsma storage technology climate control system
The logon screen of a PoS system. While this system requires authentication, these versions of windows embedded often contain multiple vulnerabilities and should not be exposed unfiltered to the internet.
The interface of a building heater system.
The interface of a camera module for the Tolsma Storage Technology appliance.
Again, an interface of a building heater system.
The interface of an intercom system.
The interface of a home automation system.
The interface of a feeding machine for livestock.
The interface of a Tritone Automatic Feeding System.